search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Samba: minor fix for processing requested access flags.
[tomato.git] / release / src / router / samba / source / smbd / nttrans.c
blob38b69fe587dfbd41d9c198bb662cf3b329d3097e
1 /*
2 Unix SMB/Netbios implementation.
3 Version 1.9.
4 SMB NT transaction handling
5 Copyright (C) Jeremy Allison 1994-1998
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 */
21
22 #include "includes.h"
23 #include "nterr.h"
24
25 extern int DEBUGLEVEL;
26 extern int Protocol;
27 extern int Client;
28 extern int smb_read_error;
29 extern int global_oplock_break;
30 extern BOOL case_sensitive;
31 extern BOOL case_preserve;
32 extern BOOL short_case_preserve;
33
34 static void remove_pending_change_notify_requests_by_mid(int mid);
35
36 static char *known_nt_pipes[] = {
37 "\\LANMAN",
38 "\\srvsvc",
39 "\\samr",
40 "\\wkssvc",
41 "\\NETLOGON",
42 "\\ntlsa",
43 "\\ntsvcs",
44 "\\lsass",
45 "\\lsarpc",
46 "\\winreg",
47 NULL
48 };
49
50 /****************************************************************************
51 Send the required number of replies back.
52 We assume all fields other than the data fields are
53 set correctly for the type of call.
54 HACK ! Always assumes smb_setup field is zero.
55 ****************************************************************************/
56
57 static int send_nt_replies(char *inbuf, char *outbuf, int bufsize, uint32 nt_error, char *params,
58 int paramsize, char *pdata, int datasize)
59 {
60 extern int max_send;
61 int data_to_send = datasize;
62 int params_to_send = paramsize;
63 int useable_space;
64 char *pp = params;
65 char *pd = pdata;
66 int params_sent_thistime, data_sent_thistime, total_sent_thistime;
67 int alignment_offset = 3;
68 int data_alignment_offset = 0;
69
70 /*
71 * Initially set the wcnt area to be 18 - this is true for all
72 * transNT replies.
73 */
74
75 set_message(outbuf,18,0,True);
76
77 if(nt_error != 0) {
78 /* NT Error. */
79 SSVAL(outbuf,smb_flg2, SVAL(outbuf,smb_flg2) | FLAGS2_32_BIT_ERROR_CODES);
80
81 ERROR(0,nt_error);
82 }
83
84 /*
85 * If there genuinely are no parameters or data to send just send
86 * the empty packet.
87 */
88
89 if(params_to_send == 0 && data_to_send == 0) {
90 send_smb(Client,outbuf);
91 return 0;
92 }
93
94 /*
95 * When sending params and data ensure that both are nicely aligned.
96 * Only do this alignment when there is also data to send - else
97 * can cause NT redirector problems.
98 */
99
100 if (((params_to_send % 4) != 0) && (data_to_send != 0))
101 data_alignment_offset = 4 - (params_to_send % 4);
102
103 /*
104 * Space is bufsize minus Netbios over TCP header minus SMB header.
105 * The alignment_offset is to align the param bytes on a four byte
106 * boundary (2 bytes for data len, one byte pad).
107 * NT needs this to work correctly.
108 */
109
110 useable_space = bufsize - ((smb_buf(outbuf)+
111 alignment_offset+data_alignment_offset) -
112 outbuf);
113
114 /*
115 * useable_space can never be more than max_send minus the
116 * alignment offset.
117 */
118
119 useable_space = MIN(useable_space,
120 max_send - (alignment_offset+data_alignment_offset));
121
122
123 while (params_to_send || data_to_send) {
124
125 /*
126 * Calculate whether we will totally or partially fill this packet.
127 */
128
129 total_sent_thistime = params_to_send + data_to_send +
130 alignment_offset + data_alignment_offset;
131
132 /*
133 * We can never send more than useable_space.
134 */
135
136 total_sent_thistime = MIN(total_sent_thistime, useable_space);
137
138 set_message(outbuf, 18, total_sent_thistime, True);
139
140 /*
141 * Set total params and data to be sent.
142 */
143
144 SIVAL(outbuf,smb_ntr_TotalParameterCount,paramsize);
145 SIVAL(outbuf,smb_ntr_TotalDataCount,datasize);
146
147 /*
148 * Calculate how many parameters and data we can fit into
149 * this packet. Parameters get precedence.
150 */
151
152 params_sent_thistime = MIN(params_to_send,useable_space);
153 data_sent_thistime = useable_space - params_sent_thistime;
154 data_sent_thistime = MIN(data_sent_thistime,data_to_send);
155
156 SIVAL(outbuf,smb_ntr_ParameterCount,params_sent_thistime);
157
158 if(params_sent_thistime == 0) {
159 SIVAL(outbuf,smb_ntr_ParameterOffset,0);
160 SIVAL(outbuf,smb_ntr_ParameterDisplacement,0);
161 } else {
162 /*
163 * smb_ntr_ParameterOffset is the offset from the start of the SMB header to the
164 * parameter bytes, however the first 4 bytes of outbuf are
165 * the Netbios over TCP header. Thus use smb_base() to subtract
166 * them from the calculation.
167 */
168
169 SIVAL(outbuf,smb_ntr_ParameterOffset,
170 ((smb_buf(outbuf)+alignment_offset) - smb_base(outbuf)));
171 /*
172 * Absolute displacement of param bytes sent in this packet.
173 */
174
175 SIVAL(outbuf,smb_ntr_ParameterDisplacement,pp - params);
176 }
177
178 /*
179 * Deal with the data portion.
180 */
181
182 SIVAL(outbuf,smb_ntr_DataCount, data_sent_thistime);
183
184 if(data_sent_thistime == 0) {
185 SIVAL(outbuf,smb_ntr_DataOffset,0);
186 SIVAL(outbuf,smb_ntr_DataDisplacement, 0);
187 } else {
188 /*
189 * The offset of the data bytes is the offset of the
190 * parameter bytes plus the number of parameters being sent this time.
191 */
192
193 SIVAL(outbuf,smb_ntr_DataOffset,((smb_buf(outbuf)+alignment_offset) -
194 smb_base(outbuf)) + params_sent_thistime + data_alignment_offset);
195 SIVAL(outbuf,smb_ntr_DataDisplacement, pd - pdata);
196 }
197
198 /*
199 * Copy the param bytes into the packet.
200 */
201
202 if(params_sent_thistime)
203 memcpy((smb_buf(outbuf)+alignment_offset),pp,params_sent_thistime);
204
205 /*
206 * Copy in the data bytes
207 */
208
209 if(data_sent_thistime)
210 memcpy(smb_buf(outbuf)+alignment_offset+params_sent_thistime+
211 data_alignment_offset,pd,data_sent_thistime);
212
213 DEBUG(9,("nt_rep: params_sent_thistime = %d, data_sent_thistime = %d, useable_space = %d\n",
214 params_sent_thistime, data_sent_thistime, useable_space));
215 DEBUG(9,("nt_rep: params_to_send = %d, data_to_send = %d, paramsize = %d, datasize = %d\n",
216 params_to_send, data_to_send, paramsize, datasize));
217
218 /* Send the packet */
219 send_smb(Client,outbuf);
220
221 pp += params_sent_thistime;
222 pd += data_sent_thistime;
223
224 params_to_send -= params_sent_thistime;
225 data_to_send -= data_sent_thistime;
226
227 /*
228 * Sanity check
229 */
230
231 if(params_to_send < 0 || data_to_send < 0) {
232 DEBUG(0,("send_nt_replies failed sanity check pts = %d, dts = %d\n!!!",
233 params_to_send, data_to_send));
234 return -1;
235 }
236 }
237
238 return 0;
239 }
240
241 /****************************************************************************
242 (Hopefully) temporary call to fix bugs in NT5.0beta2. This OS sends unicode
243 strings in NT calls AND DOESN'T SET THE UNICODE BIT !!!!!!!
244 ****************************************************************************/
245
246 static void get_filename( char *fname, char *inbuf, int data_offset, int data_len, int fname_len)
247 {
248 /*
249 * We need various heuristics here to detect a unicode string... JRA.
250 */
251
252 DEBUG(10,("get_filename: data_offset = %d, data_len = %d, fname_len = %d\n",
253 data_offset, data_len, fname_len ));
254
255 if(data_len - fname_len > 1) {
256 /*
257 * NT 5.0 Beta 2 has kindly sent us a UNICODE string
258 * without bothering to set the unicode bit. How kind.
259 *
260 * Firstly - ensure that the data offset is aligned
261 * on a 2 byte boundary - add one if not.
262 */
263 fname_len = fname_len/2;
264 if(data_offset & 1)
265 data_offset++;
266 pstrcpy(fname, dos_unistrn2((uint16 *)(inbuf+data_offset), fname_len));
267 } else {
268 StrnCpy(fname,inbuf+data_offset,fname_len);
269 fname[fname_len] = '\0';
270 }
271 }
272
273 /****************************************************************************
274 Fix bugs in Win2000 final release. In trans calls this OS sends unicode
275 strings AND DOESN'T SET THE UNICODE BIT !!!!!!!
276 ****************************************************************************/
277
278 static void get_filename_transact( char *fname, char *inbuf, int data_offset, int data_len, int fname_len)
279 {
280 /*
281 * We need various heuristics here to detect a unicode string... JRA.
282 */
283
284 DEBUG(10,("get_filename_transact: data_offset = %d, data_len = %d, fname_len = %d\n",
285 data_offset, data_len, fname_len ));
286
287 /*
288 * Win2K sends a unicode filename plus one extra alingment byte.
289 * WinNT4.x send an ascii string with multiple garbage bytes on
290 * the end here.
291 */
292
293 if((data_len - fname_len == 1) || (inbuf[data_offset] == '\0')) {
294 /*
295 * Ensure that the data offset is aligned
296 * on a 2 byte boundary - add one if not.
297 */
298 fname_len = fname_len/2;
299 if(data_offset & 1)
300 data_offset++;
301 pstrcpy(fname, dos_unistrn2((uint16 *)(inbuf+data_offset), fname_len));
302 } else {
303 StrnCpy(fname,inbuf+data_offset,fname_len);
304 fname[fname_len] = '\0';
305 }
306 }
307
308 /****************************************************************************
309 Save case statics.
310 ****************************************************************************/
311
312 static BOOL saved_case_sensitive;
313 static BOOL saved_case_preserve;
314 static BOOL saved_short_case_preserve;
315
316 /****************************************************************************
317 Save case semantics.
318 ****************************************************************************/
319
320 static void set_posix_case_semantics(uint32 file_attributes)
321 {
322 if(!(file_attributes & FILE_FLAG_POSIX_SEMANTICS))
323 return;
324
325 saved_case_sensitive = case_sensitive;
326 saved_case_preserve = case_preserve;
327 saved_short_case_preserve = short_case_preserve;
328
329 /* Set to POSIX. */
330 case_sensitive = True;
331 case_preserve = True;
332 short_case_preserve = True;
333 }
334
335 /****************************************************************************
336 Restore case semantics.
337 ****************************************************************************/
338
339 static void restore_case_semantics(uint32 file_attributes)
340 {
341 if(!(file_attributes & FILE_FLAG_POSIX_SEMANTICS))
342 return;
343
344 case_sensitive = saved_case_sensitive;
345 case_preserve = saved_case_preserve;
346 short_case_preserve = saved_short_case_preserve;
347 }
348
349 /****************************************************************************
350 Utility function to map create disposition.
351 ****************************************************************************/
352
353 static int map_create_disposition( uint32 create_disposition)
354 {
355 int ret;
356
357 switch( create_disposition ) {
358 case FILE_CREATE:
359 /* create if not exist, fail if exist */
360 ret = (FILE_CREATE_IF_NOT_EXIST|FILE_EXISTS_FAIL);
361 break;
362 case FILE_SUPERSEDE:
363 case FILE_OVERWRITE_IF:
364 /* create if not exist, trunc if exist */
365 ret = (FILE_CREATE_IF_NOT_EXIST|FILE_EXISTS_TRUNCATE);
366 break;
367 case FILE_OPEN:
368 /* fail if not exist, open if exists */
369 ret = (FILE_FAIL_IF_NOT_EXIST|FILE_EXISTS_OPEN);
370 break;
371 case FILE_OPEN_IF:
372 /* create if not exist, open if exists */
373 ret = (FILE_CREATE_IF_NOT_EXIST|FILE_EXISTS_OPEN);
374 break;
375 case FILE_OVERWRITE:
376 /* fail if not exist, truncate if exists */
377 ret = (FILE_FAIL_IF_NOT_EXIST|FILE_EXISTS_TRUNCATE);
378 break;
379 default:
380 DEBUG(0,("map_create_disposition: Incorrect value for create_disposition = %d\n",
381 create_disposition ));
382 return -1;
383 }
384
385 DEBUG(10,("map_create_disposition: Mapped create_disposition %lx to %x\n",
386 (unsigned long)create_disposition, ret ));
387
388 return ret;
389 }
390
391 /****************************************************************************
392 Utility function to map share modes.
393 ****************************************************************************/
394
395 static int map_share_mode( BOOL *pstat_open_only, char *fname, uint32 create_options,
396 uint32 desired_access, uint32 share_access, uint32 file_attributes)
397 {
398 int smb_open_mode = -1;
399
400 DEBUG(6, ("map_share_mode(%s, create_options=0x%x, "
401 "desired_access=0x%x, share_access=0x%x, "
402 "file_attributes=0x%x\n",
403 fname, create_options, desired_access,
404 share_access, file_attributes));
405
406 *pstat_open_only = False;
407
408 /* this is just so the next switch works sane */
409 if (desired_access & FILE_EXECUTE)
410 desired_access |= FILE_READ_DATA;
411
412 switch( desired_access & (FILE_READ_DATA|FILE_WRITE_DATA|FILE_APPEND_DATA) ) {
413 case FILE_READ_DATA:
414 smb_open_mode = DOS_OPEN_RDONLY;
415 break;
416 case FILE_WRITE_DATA:
417 case FILE_APPEND_DATA:
418 case FILE_WRITE_DATA|FILE_APPEND_DATA:
419 smb_open_mode = DOS_OPEN_WRONLY;
420 break;
421 case FILE_READ_DATA|FILE_WRITE_DATA:
422 case FILE_READ_DATA|FILE_WRITE_DATA|FILE_APPEND_DATA:
423 case FILE_READ_DATA|FILE_APPEND_DATA:
424 smb_open_mode = DOS_OPEN_RDWR;
425 break;
426 }
427
428 /*
429 * NB. For DELETE_ACCESS we should really check the
430 * directory permissions, as that is what controls
431 * delete, and for WRITE_DAC_ACCESS we should really
432 * check the ownership, as that is what controls the
433 * chmod. Note that this is *NOT* a security hole (this
434 * note is for you, Andrew) as we are not *allowing*
435 * the access at this point, the actual unlink or
436 * chown or chmod call would do this. We are just helping
437 * clients out by telling them if they have a hope
438 * of any of this succeeding. POSIX acls may still
439 * deny the real call. JRA.
440 */
441
442 if (smb_open_mode == -1) {
443 if(desired_access == WRITE_DAC_ACCESS || desired_access == READ_CONTROL_ACCESS)
444 *pstat_open_only = True;
445
446 if(desired_access & (DELETE_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS|
447 FILE_EXECUTE|FILE_READ_ATTRIBUTES|
448 FILE_READ_EA|FILE_WRITE_EA|SYSTEM_SECURITY_ACCESS|
449 FILE_WRITE_ATTRIBUTES|READ_CONTROL_ACCESS)) {
450 smb_open_mode = DOS_OPEN_RDONLY;
451 } else if (desired_access == 0) {
452 /*
453 * JRA - NT seems to sometimes send desired_access as zero. play it safe
454 * and map to a stat open.
455 */
456 smb_open_mode = DOS_OPEN_RDONLY;
457 } else {
458 DEBUG(0,("map_share_mode: Incorrect value 0x%lx for desired_access to file %s\n",
459 (unsigned long)desired_access, fname));
460 return -1;
461 }
462 }
463
464 /*
465 * Set the special bit that means allow share delete.
466 * This is held outside the normal share mode bits at 1<<15.
467 * JRA.
468 */
469
470 if(share_access & FILE_SHARE_DELETE) {
471 smb_open_mode |= ALLOW_SHARE_DELETE;
472 DEBUG(10,("map_share_mode: FILE_SHARE_DELETE requested. open_mode = 0x%x\n", smb_open_mode));
473 }
474
475 /*
476 * We need to store the intent to open for Delete. This
477 * is what determines if a delete on close flag can be set.
478 * This is the wrong way (and place) to store this, but for 2.x this
479 * is the only practical way. JRA.
480 */
481
482 if(desired_access & DELETE_ACCESS) {
483 DEBUG(10,("map_share_mode: DELETE_ACCESS requested. open_mode = 0x%x\n", smb_open_mode));
484 }
485
486 if (create_options & FILE_DELETE_ON_CLOSE) {
487 /* Implicit delete access is *NOT* requested... */
488 smb_open_mode |= DELETE_ON_CLOSE_FLAG;
489 DEBUG(10,("map_share_mode: FILE_DELETE_ON_CLOSE requested. open_mode = 0x%x\n", smb_open_mode));
490 }
491
492 /* Add in the requested share mode. */
493 switch( share_access & (FILE_SHARE_READ|FILE_SHARE_WRITE)) {
494 case FILE_SHARE_READ:
495 smb_open_mode |= SET_DENY_MODE(DENY_WRITE);
496 break;
497 case FILE_SHARE_WRITE:
498 smb_open_mode |= SET_DENY_MODE(DENY_READ);
499 break;
500 case (FILE_SHARE_READ|FILE_SHARE_WRITE):
501 smb_open_mode |= SET_DENY_MODE(DENY_NONE);
502 break;
503 case FILE_SHARE_NONE:
504 smb_open_mode |= SET_DENY_MODE(DENY_ALL);
505 break;
506 }
507
508 /*
509 * Handle an O_SYNC request.
510 */
511
512 if(file_attributes & FILE_FLAG_WRITE_THROUGH)
513 smb_open_mode |= FILE_SYNC_OPENMODE;
514
515 DEBUG(10,("map_share_mode: Mapped desired access 0x%lx, share access 0x%lx, file attributes 0x%lx \
516 to open_mode 0x%x\n", (unsigned long)desired_access, (unsigned long)share_access,
517 (unsigned long)file_attributes, smb_open_mode ));
518
519 return smb_open_mode;
520 }
521
522 /*
523 * This is a *disgusting* hack.
524 * This is *so* bad that even I'm embarrassed (and I
525 * have no shame). Here's the deal :
526 * Until we get the correct SPOOLSS code into smbd
527 * then when we're running with NT SMB support then
528 * NT makes this call with a level of zero, and then
529 * immediately follows it with an open request to
530 * the \\SRVSVC pipe. If we allow that open to
531 * succeed then NT barfs when it cannot open the
532 * \\SPOOLSS pipe immediately after and continually
533 * whines saying "Printer name is invalid" forever
534 * after. If we cause *JUST THIS NEXT OPEN* of \\SRVSVC
535 * to fail, then NT downgrades to using the downlevel code
536 * and everything works as well as before. I hate
537 * myself for adding this code.... JRA.
538 *
539 * The HACK_FAIL_TIME define allows only a 2
540 * second window for this to occur, just in
541 * case...
542 */
543
544 static BOOL fail_next_srvsvc = False;
545 static time_t fail_time;
546 #define HACK_FAIL_TIME 2 /* In seconds. */
547
548 void fail_next_srvsvc_open(void)
549 {
550 /* Check client is WinNT proper; Win2K doesn't like Jeremy's hack - matty */
551 if (get_remote_arch() != RA_WINNT)
552 return;
553
554 fail_next_srvsvc = True;
555 fail_time = time(NULL);
556 DEBUG(10,("fail_next_srvsvc_open: setting up timeout close of \\srvsvc pipe for print fix.\n"));
557 }
558
559 /*
560 * HACK alert.... see above - JRA.
561 */
562
563 BOOL should_fail_next_srvsvc_open(const char *pipename)
564 {
565
566 DEBUG(10,("should_fail_next_srvsvc_open: fail = %d, pipe = %s\n",
567 (int)fail_next_srvsvc, pipename));
568
569 if(fail_next_srvsvc && (time(NULL) > fail_time + HACK_FAIL_TIME)) {
570 fail_next_srvsvc = False;
571 fail_time = (time_t)0;
572 DEBUG(10,("should_fail_next_srvsvc_open: End of timeout close of \\srvsvc pipe for print fix.\n"));
573 }
574
575 if(fail_next_srvsvc && strequal(pipename, "srvsvc")) {
576 fail_next_srvsvc = False;
577 DEBUG(10,("should_fail_next_srvsvc_open: Deliberately failing open of \\srvsvc pipe for print fix.\n"));
578 return True;
579 }
580 return False;
581 }
582
583
584 /****************************************************************************
585 Reply to an NT create and X call on a pipe.
586 ****************************************************************************/
587 static int nt_open_pipe(char *fname, connection_struct *conn,
588 char *inbuf, char *outbuf, int *ppnum)
589 {
590 pipes_struct *p = NULL;
591
592 uint16 vuid = SVAL(inbuf, smb_uid);
593 int i;
594
595 DEBUG(4,("nt_open_pipe: Opening pipe %s.\n", fname));
596
597 /* See if it is one we want to handle. */
598 for( i = 0; known_nt_pipes[i]; i++ )
599 if( strequal(fname,known_nt_pipes[i]))
600 break;
601
602 if ( known_nt_pipes[i] == NULL )
603 return(ERROR(ERRSRV,ERRaccess));
604
605 /* Strip \\ off the name. */
606 fname++;
607
608 if(should_fail_next_srvsvc_open(fname))
609 return (ERROR(ERRSRV,ERRaccess));
610
611 DEBUG(3,("nt_open_pipe: Known pipe %s opening.\n", fname));
612
613 p = open_rpc_pipe_p(fname, conn, vuid);
614 if (!p)
615 return(ERROR(ERRSRV,ERRnofids));
616
617 *ppnum = p->pnum;
618
619 return 0;
620 }
621
622 /****************************************************************************
623 Reply to an NT create and X call.
624 ****************************************************************************/
625
626 int reply_ntcreate_and_X(connection_struct *conn,
627 char *inbuf,char *outbuf,int length,int bufsize)
628 {
629 pstring fname;
630 uint32 flags = IVAL(inbuf,smb_ntcreate_Flags);
631 uint32 desired_access = IVAL(inbuf,smb_ntcreate_DesiredAccess);
632 uint32 file_attributes = IVAL(inbuf,smb_ntcreate_FileAttributes);
633 uint32 share_access = IVAL(inbuf,smb_ntcreate_ShareAccess);
634 uint32 create_disposition = IVAL(inbuf,smb_ntcreate_CreateDisposition);
635 uint32 create_options = IVAL(inbuf,smb_ntcreate_CreateOptions);
636 uint32 fname_len = MIN(((uint32)SVAL(inbuf,smb_ntcreate_NameLength)),
637 ((uint32)sizeof(fname)-1));
638 uint16 root_dir_fid = (uint16)IVAL(inbuf,smb_ntcreate_RootDirectoryFid);
639 int smb_ofun;
640 int smb_open_mode;
641 int smb_attr = (file_attributes & SAMBA_ATTRIBUTES_MASK);
642 /* Breakout the oplock request bits so we can set the
643 reply bits separately. */
644 int oplock_request = 0;
645 mode_t unixmode;
646 int pnum = -1;
647 int fmode=0,rmode=0;
648 SMB_OFF_T file_len = 0;
649 SMB_STRUCT_STAT sbuf;
650 int smb_action = 0;
651 BOOL bad_path = False;
652 files_struct *fsp=NULL;
653 char *p = NULL;
654 BOOL stat_open_only = False;
655
656 /*
657 * We need to construct the open_and_X ofun value from the
658 * NT values, as that's what our code is structured to accept.
659 */
660
661 if((smb_ofun = map_create_disposition( create_disposition )) == -1)
662 return(ERROR(ERRDOS,ERRbadaccess));
663
664 /*
665 * Get the file name.
666 */
667
668 if(root_dir_fid != 0) {
669 /*
670 * This filename is relative to a directory fid.
671 */
672 files_struct *dir_fsp = file_fsp(inbuf,smb_ntcreate_RootDirectoryFid);
673 size_t dir_name_len;
674
675 if(!dir_fsp)
676 return(ERROR(ERRDOS,ERRbadfid));
677
678 if(!dir_fsp->is_directory) {
679 /*
680 * Check to see if this is a mac fork of some kind.
681 */
682
683 get_filename(&fname[0], inbuf, smb_buf(inbuf)-inbuf,
684 smb_buflen(inbuf),fname_len);
685
686 if( fname[0] == ':') {
687 SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
688 return(ERROR(0, 0xc0000000|NT_STATUS_OBJECT_PATH_NOT_FOUND));
689 }
690 return(ERROR(ERRDOS,ERRbadfid));
691 }
692
693 /*
694 * Copy in the base directory name.
695 */
696
697 pstrcpy( fname, dir_fsp->fsp_name );
698 dir_name_len = strlen(fname);
699
700 /*
701 * Ensure it ends in a '\'.
702 */
703
704 if(fname[dir_name_len-1] != '\\' && fname[dir_name_len-1] != '/') {
705 pstrcat(fname, "\\");
706 dir_name_len++;
707 }
708
709 /*
710 * This next calculation can refuse a correct filename if we're dealing
711 * with the Win2k unicode bug, but that would be rare. JRA.
712 */
713
714 if(fname_len + dir_name_len >= sizeof(pstring))
715 return(ERROR(ERRSRV,ERRfilespecs));
716
717 get_filename(&fname[dir_name_len], inbuf, smb_buf(inbuf)-inbuf,
718 smb_buflen(inbuf),fname_len);
719
720 } else {
721
722 get_filename(fname, inbuf, smb_buf(inbuf)-inbuf,
723 smb_buflen(inbuf),fname_len);
724 }
725
726 /* If it's an IPC, use the pipe handler. */
727
728 if (IS_IPC(conn) && lp_nt_pipe_support()) {
729
730 int ret = nt_open_pipe(fname, conn, inbuf, outbuf, &pnum);
731 if(ret != 0)
732 return ret;
733
734 /*
735 * Deal with pipe return.
736 */
737
738 set_message(outbuf,34,0,True);
739
740 p = outbuf + smb_vwv2;
741 p++;
742 SSVAL(p,0,pnum);
743 p += 2;
744 SIVAL(p,0,FILE_WAS_OPENED);
745 p += 4;
746 p += 32;
747 SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
748 p += 20;
749 /* File type. */
750 SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
751 /* Device state. */
752 SSVAL(p,2, 0x5FF); /* ? */
753
754 DEBUG(5,("reply_ntcreate_and_X: open pipe = %s\n", fname));
755
756 return chain_reply(inbuf,outbuf,length,bufsize);
757 }
758
759 /*
760 * Now contruct the smb_open_mode value from the filename,
761 * desired access and the share access.
762 */
763
764 if((smb_open_mode = map_share_mode(&stat_open_only, fname, create_options, desired_access,
765 share_access,
766 file_attributes)) == -1)
767 return(ERROR(ERRDOS,ERRbadaccess));
768
769 oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
770 oplock_request |= (flags & REQUEST_BATCH_OPLOCK) ? BATCH_OPLOCK : 0;
771
772 /*
773 * Ordinary file or directory.
774 */
775
776 /*
777 * Check if POSIX semantics are wanted.
778 */
779
780 set_posix_case_semantics(file_attributes);
781
782 unix_convert(fname,conn,0,&bad_path,NULL);
783
784 fsp = file_new();
785 if (!fsp) {
786 restore_case_semantics(file_attributes);
787 return(ERROR(ERRSRV,ERRnofids));
788 }
789
790 if (!check_name(fname,conn)) {
791 if((errno == ENOENT) && bad_path) {
792 unix_ERR_class = ERRDOS;
793 unix_ERR_code = ERRbadpath;
794 }
795 file_free(fsp);
796
797 restore_case_semantics(file_attributes);
798
799 return(UNIXERROR(ERRDOS,ERRnoaccess));
800 }
801
802 unixmode = unix_mode(conn,smb_attr | aARCH, fname);
803
804 /*
805 * If it's a request for a directory open, deal with it separately.
806 */
807
808 if(create_options & FILE_DIRECTORY_FILE) {
809 oplock_request = 0;
810
811 open_directory(fsp, conn, fname, smb_ofun,
812 unixmode, &smb_action);
813
814 restore_case_semantics(file_attributes);
815
816 if(!fsp->open) {
817 file_free(fsp);
818 return(UNIXERROR(ERRDOS,ERRnoaccess));
819 }
820 } else {
821 /*
822 * Ordinary file case.
823 */
824
825 /* NB. We have a potential bug here. If we
826 * cause an oplock break to ourselves, then we
827 * could end up processing filename related
828 * SMB requests whilst we await the oplock
829 * break response. As we may have changed the
830 * filename case semantics to be POSIX-like,
831 * this could mean a filename request could
832 * fail when it should succeed. This is a rare
833 * condition, but eventually we must arrange
834 * to restore the correct case semantics
835 * before issuing an oplock break request to
836 * our client. JRA. */
837
838 open_file_shared(fsp,conn,fname,smb_open_mode,
839 smb_ofun,unixmode, oplock_request,&rmode,&smb_action);
840
841 if (!fsp->open) {
842 /* We cheat here. There are two cases we
843 * care about. One is a directory rename,
844 * where the NT client will attempt to
845 * open the source directory for
846 * DELETE access. Note that when the
847 * NT client does this it does *not*
848 * set the directory bit in the
849 * request packet. This is translated
850 * into a read/write open
851 * request. POSIX states that any open
852 * for write request on a directory
853 * will generate an EISDIR error, so
854 * we can catch this here and open a
855 * pseudo handle that is flagged as a
856 * directory. The second is an open
857 * for a permissions read only, which
858 * we handle in the open_file_stat case. JRA.
859 */
860
861 if(errno == EISDIR) {
862
863 /*
864 * Fail the open if it was explicitly a non-directory file.
865 */
866
867 if (create_options & FILE_NON_DIRECTORY_FILE) {
868 file_free(fsp);
869 restore_case_semantics(file_attributes);
870 SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
871 return(ERROR(0, 0xc0000000|NT_STATUS_FILE_IS_A_DIRECTORY));
872 }
873
874 oplock_request = 0;
875 open_directory(fsp, conn, fname, smb_ofun, unixmode, &smb_action);
876
877 if(!fsp->open) {
878 file_free(fsp);
879 restore_case_semantics(file_attributes);
880 return(UNIXERROR(ERRDOS,ERRnoaccess));
881 }
882 #ifdef EROFS
883 } else if (((errno == EACCES) || (errno == EROFS)) && stat_open_only) {
884 #else /* !EROFS */
885 } else if (errno == EACCES && stat_open_only) {
886 #endif
887 /*
888 * We couldn't open normally and all we want
889 * are the permissions. Try and do a stat open.
890 */
891
892 oplock_request = 0;
893
894 open_file_stat(fsp,conn,fname,smb_open_mode,&sbuf,&smb_action);
895
896 if(!fsp->open) {
897 file_free(fsp);
898 restore_case_semantics(file_attributes);
899 return(UNIXERROR(ERRDOS,ERRnoaccess));
900 }
901
902 } else {
903
904 if((errno == ENOENT) && bad_path) {
905 unix_ERR_class = ERRDOS;
906 unix_ERR_code = ERRbadpath;
907 }
908
909 file_free(fsp);
910
911 restore_case_semantics(file_attributes);
912
913 return(UNIXERROR(ERRDOS,ERRnoaccess));
914 }
915 }
916 }
917
918 if(fsp->is_directory) {
919 if(dos_stat(fsp->fsp_name, &sbuf) != 0) {
920 close_file(fsp,True);
921 restore_case_semantics(file_attributes);
922 return(ERROR(ERRDOS,ERRnoaccess));
923 }
924 } else {
925 if (!fsp->stat_open && sys_fstat(fsp->fd_ptr->fd,&sbuf) != 0) {
926 close_file(fsp,False);
927 restore_case_semantics(file_attributes);
928 return(ERROR(ERRDOS,ERRnoaccess));
929 }
930 }
931
932 restore_case_semantics(file_attributes);
933
934 file_len = sbuf.st_size;
935 fmode = dos_mode(conn,fname,&sbuf);
936 if(fmode == 0)
937 fmode = FILE_ATTRIBUTE_NORMAL;
938 if (!fsp->is_directory && (fmode & aDIR)) {
939 close_file(fsp,False);
940 return(ERROR(ERRDOS,ERRnoaccess));
941 }
942
943 /*
944 * If the caller set the extended oplock request bit
945 * and we granted one (by whatever means) - set the
946 * correct bit for extended oplock reply.
947 */
948
949 if (oplock_request && lp_fake_oplocks(SNUM(conn)))
950 smb_action |= EXTENDED_OPLOCK_GRANTED;
951
952 if(oplock_request && EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type))
953 smb_action |= EXTENDED_OPLOCK_GRANTED;
954
955 set_message(outbuf,34,0,True);
956
957 p = outbuf + smb_vwv2;
958
959 /*
960 * Currently as we don't support level II oplocks we just report
961 * exclusive & batch here.
962 */
963
964 if (smb_action & EXTENDED_OPLOCK_GRANTED)
965 SCVAL(p,0, BATCH_OPLOCK_RETURN);
966 else if (LEVEL_II_OPLOCK_TYPE(fsp->oplock_type))
967 SCVAL(p,0, LEVEL_II_OPLOCK_RETURN);
968 else
969 SCVAL(p,0,NO_OPLOCK_RETURN);
970
971 p++;
972 SSVAL(p,0,fsp->fnum);
973 p += 2;
974 SIVAL(p,0,smb_action);
975 p += 4;
976
977 /* Create time. */
978 put_long_date(p,get_create_time(&sbuf,lp_fake_dir_create_times(SNUM(conn))));
979 p += 8;
980 put_long_date(p,sbuf.st_atime); /* access time */
981 p += 8;
982 put_long_date(p,sbuf.st_mtime); /* write time */
983 p += 8;
984 put_long_date(p,sbuf.st_mtime); /* change time */
985 p += 8;
986 SIVAL(p,0,fmode); /* File Attributes. */
987 p += 4;
988 SOFF_T(p, 0, file_len);
989 p += 8;
990 SOFF_T(p,0,file_len);
991 p += 12;
992 SCVAL(p,0,fsp->is_directory ? 1 : 0);
993
994 DEBUG(5,("reply_ntcreate_and_X: fnum = %d, open name = %s\n", fsp->fnum, fsp->fsp_name));
995
996 return chain_reply(inbuf,outbuf,length,bufsize);
997 }
998
999 /****************************************************************************
1000 Reply to a NT_TRANSACT_CREATE call (needs to process SD's).
1001 ****************************************************************************/
1002
1003 static int call_nt_transact_create(connection_struct *conn,
1004 char *inbuf, char *outbuf, int length,
1005 int bufsize, char **ppsetup, char **ppparams,
1006 char **ppdata)
1007 {
1008 pstring fname;
1009 char *params = *ppparams;
1010 int total_parameter_count = (int)IVAL(inbuf, smb_nt_TotalParameterCount);
1011 /* Breakout the oplock request bits so we can set the
1012 reply bits separately. */
1013 int oplock_request = 0;
1014 mode_t unixmode;
1015 int pnum = -1;
1016 int fmode=0,rmode=0;
1017 SMB_OFF_T file_len = 0;
1018 SMB_STRUCT_STAT sbuf;
1019 int smb_action = 0;
1020 BOOL bad_path = False;
1021 files_struct *fsp = NULL;
1022 char *p = NULL;
1023 BOOL stat_open_only = False;
1024 uint32 flags;
1025 uint32 desired_access;
1026 uint32 file_attributes;
1027 uint32 share_access;
1028 uint32 create_disposition;
1029 uint32 create_options;
1030 uint32 fname_len;
1031 uint16 root_dir_fid;
1032 int smb_ofun;
1033 int smb_open_mode;
1034 int smb_attr;
1035
1036 DEBUG(5,("call_nt_transact_create\n"));
1037
1038 /*
1039 * Ensure minimum number of parameters sent.
1040 */
1041
1042 if(total_parameter_count < 54) {
1043 DEBUG(0,("call_nt_transact_create - insufficient parameters (%u)\n", (unsigned int)total_parameter_count));
1044 return(ERROR(ERRDOS,ERRbadaccess));
1045 }
1046
1047 flags = IVAL(params,0);
1048 desired_access = IVAL(params,8);
1049 file_attributes = IVAL(params,20);
1050 share_access = IVAL(params,24);
1051 create_disposition = IVAL(params,28);
1052 create_options = IVAL(params,32);
1053 fname_len = MIN(((uint32)IVAL(params,44)),((uint32)sizeof(fname)-1));
1054 root_dir_fid = (uint16)IVAL(params,4);
1055 smb_attr = (file_attributes & SAMBA_ATTRIBUTES_MASK);
1056
1057 /*
1058 * We need to construct the open_and_X ofun value from the
1059 * NT values, as that's what our code is structured to accept.
1060 */
1061
1062 if((smb_ofun = map_create_disposition( create_disposition )) == -1)
1063 return(ERROR(ERRDOS,ERRbadmem));
1064
1065 /*
1066 * Get the file name.
1067 */
1068
1069 if(root_dir_fid != 0) {
1070 /*
1071 * This filename is relative to a directory fid.
1072 */
1073
1074 files_struct *dir_fsp = file_fsp(params,4);
1075 size_t dir_name_len;
1076
1077 if(!dir_fsp)
1078 return(ERROR(ERRDOS,ERRbadfid));
1079
1080 if(!dir_fsp->is_directory) {
1081 /*
1082 * Check to see if this is a mac fork of some kind.
1083 */
1084
1085 get_filename_transact(&fname[0], params, 53,
1086 total_parameter_count - 53 - fname_len, fname_len);
1087
1088 if( fname[0] == ':') {
1089 SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
1090 return(ERROR(0, 0xc0000000|NT_STATUS_OBJECT_PATH_NOT_FOUND));
1091 }
1092
1093 return(ERROR(ERRDOS,ERRbadfid));
1094 }
1095
1096 /*
1097 * Copy in the base directory name.
1098 */
1099
1100 pstrcpy( fname, dir_fsp->fsp_name );
1101 dir_name_len = strlen(fname);
1102
1103 /*
1104 * Ensure it ends in a '\'.
1105 */
1106
1107 if((fname[dir_name_len-1] != '\\') && (fname[dir_name_len-1] != '/')) {
1108 pstrcat(fname, "\\");
1109 dir_name_len++;
1110 }
1111
1112 /*
1113 * This next calculation can refuse a correct filename if we're dealing
1114 * with the Win2k unicode bug, but that would be rare. JRA.
1115 */
1116
1117 if(fname_len + dir_name_len >= sizeof(pstring))
1118 return(ERROR(ERRSRV,ERRfilespecs));
1119
1120 get_filename_transact(&fname[dir_name_len], params, 53,
1121 total_parameter_count - 53 - fname_len, fname_len);
1122
1123 } else {
1124 get_filename_transact(&fname[0], params, 53,
1125 total_parameter_count - 53 - fname_len, fname_len);
1126 }
1127
1128 /* If it's an IPC, use the pipe handler. */
1129 if (IS_IPC(conn)) {
1130 int ret = nt_open_pipe(fname, conn, inbuf, outbuf, &pnum);
1131 if(ret != 0)
1132 return ret;
1133 smb_action = FILE_WAS_OPENED;
1134 } else {
1135
1136 /*
1137 * Now contruct the smb_open_mode value from the desired access
1138 * and the share access.
1139 */
1140
1141 if((smb_open_mode = map_share_mode( &stat_open_only, fname, create_options, desired_access,
1142 share_access, file_attributes)) == -1)
1143 return(ERROR(ERRDOS,ERRbadaccess));
1144
1145 oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
1146 oplock_request |= (flags & REQUEST_BATCH_OPLOCK) ? BATCH_OPLOCK : 0;
1147
1148 /*
1149 * Check if POSIX semantics are wanted.
1150 */
1151
1152 set_posix_case_semantics(file_attributes);
1153
1154 unix_convert(fname,conn,0,&bad_path,NULL);
1155
1156 fsp = file_new();
1157 if (!fsp) {
1158 restore_case_semantics(file_attributes);
1159 return(ERROR(ERRSRV,ERRnofids));
1160 }
1161
1162 if (!check_name(fname,conn)) {
1163 if((errno == ENOENT) && bad_path) {
1164 unix_ERR_class = ERRDOS;
1165 unix_ERR_code = ERRbadpath;
1166 }
1167 file_free(fsp);
1168
1169 restore_case_semantics(file_attributes);
1170
1171 return(UNIXERROR(ERRDOS,ERRnoaccess));
1172 }
1173
1174 unixmode = unix_mode(conn,smb_attr | aARCH, fname);
1175
1176 /*
1177 * If it's a request for a directory open, deal with it separately.
1178 */
1179
1180 if(create_options & FILE_DIRECTORY_FILE) {
1181
1182 oplock_request = 0;
1183
1184 /*
1185 * We will get a create directory here if the Win32
1186 * app specified a security descriptor in the
1187 * CreateDirectory() call.
1188 */
1189
1190 open_directory(fsp, conn, fname, smb_ofun, unixmode, &smb_action);
1191
1192 if(!fsp->open) {
1193 file_free(fsp);
1194 restore_case_semantics(file_attributes);
1195 return(UNIXERROR(ERRDOS,ERRnoaccess));
1196 }
1197
1198 if(dos_stat(fsp->fsp_name, &sbuf) != 0) {
1199 close_file(fsp,True);
1200 restore_case_semantics(file_attributes);
1201 return(ERROR(ERRDOS,ERRnoaccess));
1202 }
1203
1204 } else {
1205
1206 /*
1207 * Ordinary file case.
1208 */
1209
1210 open_file_shared(fsp,conn,fname,smb_open_mode,smb_ofun,unixmode,
1211 oplock_request,&rmode,&smb_action);
1212
1213 if (!fsp->open) {
1214
1215 if(errno == EISDIR) {
1216
1217 /*
1218 * Fail the open if it was explicitly a non-directory file.
1219 */
1220
1221 if (create_options & FILE_NON_DIRECTORY_FILE) {
1222 file_free(fsp);
1223 restore_case_semantics(file_attributes);
1224 SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
1225 return(ERROR(0, 0xc0000000|NT_STATUS_FILE_IS_A_DIRECTORY));
1226 }
1227
1228 oplock_request = 0;
1229 open_directory(fsp, conn, fname, smb_ofun, unixmode, &smb_action);
1230
1231 if(!fsp->open) {
1232 file_free(fsp);
1233 restore_case_semantics(file_attributes);
1234 return(UNIXERROR(ERRDOS,ERRnoaccess));
1235 }
1236 #ifdef EROFS
1237 } else if (((errno == EACCES) || (errno == EROFS)) && stat_open_only) {
1238 #else /* !EROFS */
1239 } else if (errno == EACCES && stat_open_only) {
1240 #endif
1241
1242 /*
1243 * We couldn't open normally and all we want
1244 * are the permissions. Try and do a stat open.
1245 */
1246
1247 oplock_request = 0;
1248
1249 open_file_stat(fsp,conn,fname,smb_open_mode,&sbuf,&smb_action);
1250
1251 if(!fsp->open) {
1252 file_free(fsp);
1253 restore_case_semantics(file_attributes);
1254 return(UNIXERROR(ERRDOS,ERRnoaccess));
1255 }
1256 } else {
1257
1258 if((errno == ENOENT) && bad_path) {
1259 unix_ERR_class = ERRDOS;
1260 unix_ERR_code = ERRbadpath;
1261 }
1262 file_free(fsp);
1263
1264 restore_case_semantics(file_attributes);
1265
1266 return(UNIXERROR(ERRDOS,ERRnoaccess));
1267 }
1268 }
1269
1270 if(fsp->is_directory) {
1271 if(dos_stat(fsp->fsp_name, &sbuf) != 0) {
1272 close_file(fsp,True);
1273 restore_case_semantics(file_attributes);
1274 return(ERROR(ERRDOS,ERRnoaccess));
1275 }
1276 } else {
1277 if (!fsp->stat_open && sys_fstat(fsp->fd_ptr->fd,&sbuf) != 0) {
1278 close_file(fsp,False);
1279 restore_case_semantics(file_attributes);
1280 return(ERROR(ERRDOS,ERRnoaccess));
1281 }
1282 }
1283
1284 file_len = sbuf.st_size;
1285 fmode = dos_mode(conn,fname,&sbuf);
1286 if(fmode == 0)
1287 fmode = FILE_ATTRIBUTE_NORMAL;
1288
1289 if (fmode & aDIR) {
1290 close_file(fsp,False);
1291 restore_case_semantics(file_attributes);
1292 return(ERROR(ERRDOS,ERRnoaccess));
1293 }
1294
1295 /*
1296 * If the caller set the extended oplock request bit
1297 * and we granted one (by whatever means) - set the
1298 * correct bit for extended oplock reply.
1299 */
1300
1301 if (oplock_request && lp_fake_oplocks(SNUM(conn)))
1302 smb_action |= EXTENDED_OPLOCK_GRANTED;
1303
1304 if(oplock_request && EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type))
1305 smb_action |= EXTENDED_OPLOCK_GRANTED;
1306 }
1307 }
1308
1309 restore_case_semantics(file_attributes);
1310
1311 /* Realloc the size of parameters and data we will return */
1312 params = *ppparams = Realloc(*ppparams, 69);
1313 if(params == NULL)
1314 return(ERROR(ERRDOS,ERRnomem));
1315
1316 memset((char *)params,'\0',69);
1317
1318 p = params;
1319 if (smb_action & EXTENDED_OPLOCK_GRANTED)
1320 SCVAL(p,0, BATCH_OPLOCK_RETURN);
1321 else if (LEVEL_II_OPLOCK_TYPE(fsp->oplock_type))
1322 SCVAL(p,0, LEVEL_II_OPLOCK_RETURN);
1323 else
1324 SCVAL(p,0,NO_OPLOCK_RETURN);
1325
1326 p += 2;
1327 if (IS_IPC(conn)) {
1328 SSVAL(p,0,pnum);
1329 } else {
1330 SSVAL(p,0,fsp->fnum);
1331 }
1332 p += 2;
1333 SIVAL(p,0,smb_action);
1334 p += 8;
1335
1336 if (IS_IPC(conn)) {
1337 /*
1338 * Deal with pipe return.
1339 */
1340 p += 32;
1341 SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
1342 p += 20;
1343 /* File type. */
1344 SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
1345 /* Device state. */
1346 SSVAL(p,2, 0x5FF); /* ? */
1347 } else {
1348 /*
1349 * Deal with file return.
1350 */
1351 /* Create time. */
1352 put_long_date(p,get_create_time(&sbuf,lp_fake_dir_create_times(SNUM(conn))));
1353 p += 8;
1354 put_long_date(p,sbuf.st_atime); /* access time */
1355 p += 8;
1356 put_long_date(p,sbuf.st_mtime); /* write time */
1357 p += 8;
1358 put_long_date(p,sbuf.st_mtime); /* change time */
1359 p += 8;
1360 SIVAL(p,0,fmode); /* File Attributes. */
1361 p += 4;
1362 SOFF_T(p,0,file_len);
1363 p += 8;
1364 SOFF_T(p,0,file_len);
1365 }
1366
1367 DEBUG(5,("call_nt_transact_create: open name = %s\n", fname));
1368
1369 /* Send the required number of replies */
1370 send_nt_replies(inbuf, outbuf, bufsize, 0, params, 69, *ppdata, 0);
1371
1372 return -1;
1373 }
1374
1375 /****************************************************************************
1376 Reply to a NT CANCEL request.
1377 ****************************************************************************/
1378 int reply_ntcancel(connection_struct *conn,
1379 char *inbuf,char *outbuf,int length,int bufsize)
1380 {
1381 /*
1382 * Go through and cancel any pending change notifies.
1383 */
1384
1385 int mid = SVAL(inbuf,smb_mid);
1386 remove_pending_change_notify_requests_by_mid(mid);
1387 remove_pending_lock_requests_by_mid(mid);
1388
1389 DEBUG(3,("reply_ntcancel: cancel called on mid = %d.\n", mid));
1390
1391 return(-1);
1392 }
1393
1394 /****************************************************************************
1395 Reply to an unsolicited SMBNTtranss - just ignore it!
1396 ****************************************************************************/
1397 int reply_nttranss(connection_struct *conn,
1398 char *inbuf,char *outbuf,int length,int bufsize)
1399 {
1400 DEBUG(4,("Ignoring nttranss of length %d\n",length));
1401 return(-1);
1402 }
1403
1404 /****************************************************************************
1405 Reply to an NT transact rename command.
1406 ****************************************************************************/
1407
1408 static int call_nt_transact_rename(connection_struct *conn,
1409 char *inbuf, char *outbuf, int length,
1410 int bufsize,
1411 char **ppsetup, char **ppparams, char **ppdata)
1412 {
1413 char *params = *ppparams;
1414 pstring new_name;
1415 files_struct *fsp = file_fsp(params, 0);
1416 BOOL replace_if_exists = (SVAL(params,2) & RENAME_REPLACE_IF_EXISTS) ? True : False;
1417 uint32 fname_len = MIN((((uint32)IVAL(inbuf,smb_nt_TotalParameterCount)-4)),
1418 ((uint32)sizeof(new_name)-1));
1419 int outsize = 0;
1420
1421 CHECK_FSP(fsp, conn);
1422 StrnCpy(new_name,params+4,fname_len);
1423 new_name[fname_len] = '\0';
1424
1425 outsize = rename_internals(conn, inbuf, outbuf, fsp->fsp_name,
1426 new_name, replace_if_exists);
1427 if(outsize == 0) {
1428 /*
1429 * Rename was successful.
1430 */
1431 send_nt_replies(inbuf, outbuf, bufsize, 0, NULL, 0, NULL, 0);
1432
1433 DEBUG(3,("nt transact rename from = %s, to = %s succeeded.\n",
1434 fsp->fsp_name, new_name));
1435
1436 outsize = -1;
1437 }
1438
1439 return(outsize);
1440 }
1441
1442 /****************************************************************************
1443 This is the structure to keep the information needed to
1444 determine if a directory has changed.
1445 *****************************************************************************/
1446
1447 typedef struct {
1448 time_t modify_time; /* Info from the directory we're monitoring. */
1449 time_t status_time; /* Info from the directory we're monitoring. */
1450 time_t total_time; /* Total time of all directory entries - don't care if it wraps. */
1451 unsigned int num_entries; /* Zero or the number of files in the directory. */
1452 } change_hash_data;
1453
1454 /****************************************************************************
1455 This is the structure to queue to implement NT change
1456 notify. It consists of smb_size bytes stored from the
1457 transact command (to keep the mid, tid etc around).
1458 Plus the fid to examine and the time to check next.
1459 *****************************************************************************/
1460
1461 typedef struct {
1462 ubi_slNode msg_next;
1463 files_struct *fsp;
1464 connection_struct *conn;
1465 uint32 flags;
1466 time_t next_check_time;
1467 change_hash_data change_data;
1468 char request_buf[smb_size];
1469 } change_notify_buf;
1470
1471 static ubi_slList change_notify_queue = { NULL, (ubi_slNodePtr)&change_notify_queue, 0};
1472
1473 /****************************************************************************
1474 Setup the common parts of the return packet and send it.
1475 *****************************************************************************/
1476
1477 static void change_notify_reply_packet(char *inbuf, int error_class, uint32 error_code)
1478 {
1479 extern int Client;
1480 char outbuf[smb_size+38];
1481
1482 memset(outbuf, '\0', sizeof(outbuf));
1483 construct_reply_common(inbuf, outbuf);
1484
1485 /*
1486 * If we're returning a 'too much in the directory changed' we need to
1487 * set this is an NT error status flags. If we don't then the (probably
1488 * untested) code in the NT redirector has a bug in that it doesn't re-issue
1489 * the change notify.... Ah - I *love* it when I get so deeply into this I
1490 * can even determine how MS failed to test stuff and why.... :-). JRA.
1491 */
1492
1493 if(error_class == 0) /* NT Error. */
1494 SSVAL(outbuf,smb_flg2, SVAL(outbuf,smb_flg2) | FLAGS2_32_BIT_ERROR_CODES);
1495
1496 ERROR(error_class,error_code);
1497
1498 /*
1499 * Seems NT needs a transact command with an error code
1500 * in it. This is a longer packet than a simple error.
1501 */
1502 set_message(outbuf,18,0,False);
1503
1504 send_smb(Client,outbuf);
1505 }
1506
1507 /****************************************************************************
1508 Create the hash we will use to determine if the contents changed.
1509 *****************************************************************************/
1510
1511 static BOOL create_directory_notify_hash( change_notify_buf *cnbp, change_hash_data *change_data)
1512 {
1513 SMB_STRUCT_STAT st;
1514 files_struct *fsp = cnbp->fsp;
1515
1516 memset((char *)change_data, '\0', sizeof(change_data));
1517
1518 /*
1519 * Store the current timestamp on the directory we are monitoring.
1520 */
1521
1522 if(dos_stat(fsp->fsp_name, &st) < 0) {
1523 DEBUG(0,("create_directory_notify_hash: Unable to stat name = %s. \
1524 Error was %s\n", fsp->fsp_name, strerror(errno) ));
1525 return False;
1526 }
1527
1528 change_data->modify_time = st.st_mtime;
1529 change_data->status_time = st.st_ctime;
1530
1531 /*
1532 * If we are to watch for changes that are only stored
1533 * in inodes of files, not in the directory inode, we must
1534 * scan the directory and produce a unique identifier with
1535 * which we can determine if anything changed. We use the
1536 * modify and change times from all the files in the
1537 * directory, added together (ignoring wrapping if it's
1538 * larger than the max time_t value).
1539 */
1540
1541 if(cnbp->flags & (FILE_NOTIFY_CHANGE_SIZE|FILE_NOTIFY_CHANGE_LAST_WRITE)) {
1542 pstring full_name;
1543 char *p;
1544 char *fname;
1545 size_t remaining_len;
1546 size_t fullname_len;
1547 void *dp = OpenDir(cnbp->conn, fsp->fsp_name, True);
1548
1549 if(dp == NULL) {
1550 DEBUG(0,("create_directory_notify_hash: Unable to open directory = %s. \
1551 Error was %s\n", fsp->fsp_name, strerror(errno) ));
1552 return False;
1553 }
1554
1555 change_data->num_entries = 0;
1556
1557 pstrcpy(full_name, fsp->fsp_name);
1558 pstrcat(full_name, "/");
1559
1560 fullname_len = strlen(full_name);
1561 remaining_len = sizeof(full_name) - fullname_len - 1;
1562 p = &full_name[fullname_len];
1563
1564 while ((fname = ReadDirName(dp))) {
1565 if(strequal(fname, ".") || strequal(fname, ".."))
1566 continue;
1567
1568 change_data->num_entries++;
1569 safe_strcpy( p, fname, remaining_len);
1570
1571 memset(&st, '\0', sizeof(st));
1572
1573 /*
1574 * Do the stat - but ignore errors.
1575 */
1576
1577 if(dos_stat(full_name, &st) < 0) {
1578 DEBUG(5,("create_directory_notify_hash: Unable to stat content file = %s. \
1579 Error was %s\n", fsp->fsp_name, strerror(errno) ));
1580 }
1581 change_data->total_time += (st.st_mtime + st.st_ctime);
1582 }
1583
1584 CloseDir(dp);
1585 }
1586
1587 return True;
1588 }
1589
1590 /****************************************************************************
1591 Delete entries by fnum from the change notify pending queue.
1592 *****************************************************************************/
1593
1594 void remove_pending_change_notify_requests_by_fid(files_struct *fsp)
1595 {
1596 change_notify_buf *cnbp = (change_notify_buf *)ubi_slFirst( &change_notify_queue );
1597 change_notify_buf *prev = NULL;
1598
1599 while(cnbp != NULL) {
1600 if(cnbp->fsp->fnum == fsp->fnum) {
1601 free((char *)ubi_slRemNext( &change_notify_queue, prev));
1602 cnbp = (change_notify_buf *)(prev ? ubi_slNext(prev) : ubi_slFirst(&change_notify_queue));
1603 continue;
1604 }
1605
1606 prev = cnbp;
1607 cnbp = (change_notify_buf *)ubi_slNext(cnbp);
1608 }
1609 }
1610
1611 /****************************************************************************
1612 Delete entries by mid from the change notify pending queue. Always send reply.
1613 *****************************************************************************/
1614
1615 static void remove_pending_change_notify_requests_by_mid(int mid)
1616 {
1617 change_notify_buf *cnbp = (change_notify_buf *)ubi_slFirst( &change_notify_queue );
1618 change_notify_buf *prev = NULL;
1619
1620 while(cnbp != NULL) {
1621 if(SVAL(cnbp->request_buf,smb_mid) == mid) {
1622 change_notify_reply_packet(cnbp->request_buf,0,0xC0000000 |NT_STATUS_CANCELLED);
1623 free((char *)ubi_slRemNext( &change_notify_queue, prev));
1624 cnbp = (change_notify_buf *)(prev ? ubi_slNext(prev) : ubi_slFirst(&change_notify_queue));
1625 continue;
1626 }
1627
1628 prev = cnbp;
1629 cnbp = (change_notify_buf *)ubi_slNext(cnbp);
1630 }
1631 }
1632
1633 /****************************************************************************
1634 Delete entries by filename and cnum from the change notify pending queue.
1635 Always send reply.
1636 *****************************************************************************/
1637
1638 void remove_pending_change_notify_requests_by_filename(files_struct *fsp)
1639 {
1640 change_notify_buf *cnbp = (change_notify_buf *)ubi_slFirst( &change_notify_queue );
1641 change_notify_buf *prev = NULL;
1642
1643 while(cnbp != NULL) {
1644 /*
1645 * We know it refers to the same directory if the connection number and
1646 * the filename are identical.
1647 */
1648 if((cnbp->fsp->conn == fsp->conn) && strequal(cnbp->fsp->fsp_name,fsp->fsp_name)) {
1649 change_notify_reply_packet(cnbp->request_buf,0,0xC0000000 |NT_STATUS_CANCELLED);
1650 free((char *)ubi_slRemNext( &change_notify_queue, prev));
1651 cnbp = (change_notify_buf *)(prev ? ubi_slNext(prev) : ubi_slFirst(&change_notify_queue));
1652 continue;
1653 }
1654
1655 prev = cnbp;
1656 cnbp = (change_notify_buf *)ubi_slNext(cnbp);
1657 }
1658 }
1659
1660 /****************************************************************************
1661 Process the change notify queue. Note that this is only called as root.
1662 Returns True if there are still outstanding change notify requests on the
1663 queue.
1664 *****************************************************************************/
1665
1666 BOOL process_pending_change_notify_queue(time_t t)
1667 {
1668 change_notify_buf *cnbp = (change_notify_buf *)ubi_slFirst( &change_notify_queue );
1669 change_notify_buf *prev = NULL;
1670
1671 if(cnbp == NULL)
1672 return False;
1673
1674 if(cnbp->next_check_time >= t)
1675 return True;
1676
1677 /*
1678 * It's time to check. Go through the queue and see if
1679 * the timestamps changed.
1680 */
1681
1682 while((cnbp != NULL) && (cnbp->next_check_time <= t)) {
1683 change_hash_data change_data;
1684 connection_struct *conn = cnbp->conn;
1685 uint16 vuid = (lp_security() == SEC_SHARE) ? UID_FIELD_INVALID :
1686 SVAL(cnbp->request_buf,smb_uid);
1687
1688 ZERO_STRUCT(change_data);
1689
1690 /*
1691 * Ensure we don't have any old chain_fsp values
1692 * sitting around....
1693 */
1694 chain_size = 0;
1695 file_chain_reset();
1696
1697 if(!become_user(conn,vuid)) {
1698 DEBUG(0,("process_pending_change_notify_queue: Unable to become user vuid=%d.\n",
1699 vuid ));
1700 /*
1701 * Remove the entry and return an error to the client.
1702 */
1703 change_notify_reply_packet(cnbp->request_buf,ERRSRV,ERRaccess);
1704 free((char *)ubi_slRemNext( &change_notify_queue, prev));
1705 cnbp = (change_notify_buf *)(prev ? ubi_slNext(prev) : ubi_slFirst(&change_notify_queue));
1706 continue;
1707 }
1708
1709 if(!become_service(conn,True)) {
1710 DEBUG(0,("process_pending_change_notify_queue: Unable to become service Error was %s.\n", strerror(errno) ));
1711 /*
1712 * Remove the entry and return an error to the client.
1713 */
1714 change_notify_reply_packet(cnbp->request_buf,ERRSRV,ERRaccess);
1715 free((char *)ubi_slRemNext( &change_notify_queue, prev));
1716 cnbp = (change_notify_buf *)(prev ? ubi_slNext(prev) : ubi_slFirst(&change_notify_queue));
1717 unbecome_user();
1718 continue;
1719 }
1720
1721 if(!create_directory_notify_hash( cnbp, &change_data)) {
1722 DEBUG(0,("process_pending_change_notify_queue: Unable to create change data for \
1723 directory %s\n", cnbp->fsp->fsp_name ));
1724 /*
1725 * Remove the entry and return an error to the client.
1726 */
1727 change_notify_reply_packet(cnbp->request_buf,ERRSRV,ERRaccess);
1728 free((char *)ubi_slRemNext( &change_notify_queue, prev));
1729 cnbp = (change_notify_buf *)(prev ? ubi_slNext(prev) : ubi_slFirst(&change_notify_queue));
1730 unbecome_user();
1731 continue;
1732 }
1733
1734 if(memcmp( (char *)&cnbp->change_data, (char *)&change_data, sizeof(change_data))) {
1735 /*
1736 * Remove the entry and return a change notify to the client.
1737 */
1738 DEBUG(5,("process_pending_change_notify_queue: directory name = %s changed.\n",
1739 cnbp->fsp->fsp_name ));
1740 change_notify_reply_packet(cnbp->request_buf,0,NT_STATUS_NOTIFY_ENUM_DIR);
1741 free((char *)ubi_slRemNext( &change_notify_queue, prev));
1742 cnbp = (change_notify_buf *)(prev ? ubi_slNext(prev) : ubi_slFirst(&change_notify_queue));
1743 unbecome_user();
1744 continue;
1745 }
1746
1747 unbecome_user();
1748
1749 /*
1750 * Move to the next in the list.
1751 */
1752 prev = cnbp;
1753 cnbp = (change_notify_buf *)ubi_slNext(cnbp);
1754 }
1755
1756 return (cnbp != NULL);
1757 }
1758
1759 /****************************************************************************
1760 Return true if there are pending change notifies.
1761 ****************************************************************************/
1762
1763 BOOL change_notifies_pending(void)
1764 {
1765 change_notify_buf *cnbp = (change_notify_buf *)ubi_slFirst( &change_notify_queue );
1766 return (cnbp != NULL);
1767 }
1768
1769 /****************************************************************************
1770 Reply to a notify change - queue the request and
1771 don't allow a directory to be opened.
1772 ****************************************************************************/
1773
1774 static int call_nt_transact_notify_change(connection_struct *conn,
1775 char *inbuf, char *outbuf, int length,
1776 int bufsize,
1777 char **ppsetup,
1778 char **ppparams, char **ppdata)
1779 {
1780 char *setup = *ppsetup;
1781 files_struct *fsp;
1782 change_notify_buf *cnbp;
1783
1784 fsp = file_fsp(setup,4);
1785
1786 DEBUG(3,("call_nt_transact_notify_change\n"));
1787
1788 if(!fsp)
1789 return(ERROR(ERRDOS,ERRbadfid));
1790
1791 if((!fsp->open) || (!fsp->is_directory) || (conn != fsp->conn))
1792 return(ERROR(ERRDOS,ERRbadfid));
1793
1794 /*
1795 * Now queue an entry on the notify change stack. We timestamp
1796 * the entry we are adding so that we know when to scan next.
1797 * We only need to save smb_size bytes from this incoming packet
1798 * as we will always by returning a 'read the directory yourself'
1799 * error.
1800 */
1801
1802 if((cnbp = (change_notify_buf *)malloc(sizeof(change_notify_buf))) == NULL) {
1803 DEBUG(0,("call_nt_transact_notify_change: malloc fail !\n" ));
1804 return -1;
1805 }
1806
1807 memset((char *)cnbp, '\0', sizeof(change_notify_buf));
1808
1809 memcpy(cnbp->request_buf, inbuf, smb_size);
1810 cnbp->fsp = fsp;
1811 cnbp->conn = conn;
1812 cnbp->next_check_time = time(NULL) + lp_change_notify_timeout();
1813 cnbp->flags = IVAL(setup, 0);
1814
1815 if(!create_directory_notify_hash( cnbp, &cnbp->change_data )) {
1816 free((char *)cnbp);
1817 return(UNIXERROR(ERRDOS,ERRbadfid));
1818 }
1819
1820 /*
1821 * Adding to the tail enables us to check only
1822 * the head when scanning for change, as this entry
1823 * is forced to have the first timeout expiration.
1824 */
1825
1826 ubi_slAddTail(&change_notify_queue, cnbp);
1827
1828 DEBUG(3,("call_nt_transact_notify_change: notify change called on directory \
1829 name = %s\n", fsp->fsp_name ));
1830
1831 return -1;
1832 }
1833
1834 /****************************************************************************
1835 Map unix perms to NT.
1836 ****************************************************************************/
1837
1838 static SEC_ACCESS map_unix_perms( int *pacl_type, mode_t perm, int r_mask, int w_mask, int x_mask, BOOL is_directory)
1839 {
1840 SEC_ACCESS sa;
1841 uint32 nt_mask = 0;
1842
1843 *pacl_type = SEC_ACE_TYPE_ACCESS_ALLOWED;
1844
1845 if((perm & (r_mask|w_mask|x_mask)) == (r_mask|w_mask|x_mask)) {
1846 nt_mask = UNIX_ACCESS_RWX;
1847 } else if((perm & (r_mask|w_mask|x_mask)) == 0) {
1848 nt_mask = UNIX_ACCESS_NONE;
1849 } else {
1850 nt_mask |= (perm & r_mask) ? UNIX_ACCESS_R : 0;
1851 if(is_directory)
1852 nt_mask |= (perm & w_mask) ? UNIX_ACCESS_W : 0;
1853 else
1854 nt_mask |= (perm & w_mask) ? UNIX_ACCESS_W : 0;
1855 nt_mask |= (perm & x_mask) ? UNIX_ACCESS_X : 0;
1856 }
1857 init_sec_access(&sa,nt_mask);
1858 return sa;
1859 }
1860
1861 /****************************************************************************
1862 Function to create owner and group SIDs from a SMB_STRUCT_STAT.
1863 ****************************************************************************/
1864
1865 static void create_file_sids(SMB_STRUCT_STAT *psbuf, DOM_SID *powner_sid, DOM_SID *pgroup_sid)
1866 {
1867 extern DOM_SID global_sam_sid;
1868
1869 sid_copy(powner_sid, &global_sam_sid);
1870 sid_copy(pgroup_sid, &global_sam_sid);
1871 sid_append_rid(powner_sid, pdb_uid_to_user_rid(psbuf->st_uid));
1872 sid_append_rid(pgroup_sid, pdb_gid_to_group_rid(psbuf->st_gid));
1873 }
1874
1875 /****************************************************************************
1876 Reply to query a security descriptor from an fsp. If it succeeds it allocates
1877 the space for the return elements and returns True.
1878 ****************************************************************************/
1879
1880 static size_t get_nt_acl(files_struct *fsp, SEC_DESC **ppdesc)
1881 {
1882 extern DOM_SID global_sid_World;
1883 SMB_STRUCT_STAT sbuf;
1884 SEC_ACE ace_list[6];
1885 DOM_SID owner_sid;
1886 DOM_SID group_sid;
1887 size_t sec_desc_size;
1888 SEC_ACL *psa = NULL;
1889 SEC_ACCESS owner_access;
1890 int owner_acl_type;
1891 SEC_ACCESS group_access;
1892 int grp_acl_type;
1893 SEC_ACCESS other_access;
1894 int other_acl_type;
1895 int num_acls = 0;
1896
1897 *ppdesc = NULL;
1898
1899 if(!lp_nt_acl_support()) {
1900 sid_copy( &owner_sid, &global_sid_World);
1901 sid_copy( &group_sid, &global_sid_World);
1902 } else {
1903
1904 if(fsp->is_directory || fsp->fd_ptr == NULL) {
1905 if(dos_stat(fsp->fsp_name, &sbuf) != 0) {
1906 return 0;
1907 }
1908 } else {
1909 if(sys_fstat(fsp->fd_ptr->fd,&sbuf) != 0) {
1910 return 0;
1911 }
1912 }
1913
1914 /*
1915 * Get the owner, group and world SIDs.
1916 */
1917
1918 create_file_sids(&sbuf, &owner_sid, &group_sid);
1919
1920 /*
1921 * Create the generic 3 element UNIX acl.
1922 */
1923
1924 owner_access = map_unix_perms(&owner_acl_type, sbuf.st_mode,
1925 S_IRUSR, S_IWUSR, S_IXUSR, fsp->is_directory);
1926 group_access = map_unix_perms(&grp_acl_type, sbuf.st_mode,
1927 S_IRGRP, S_IWGRP, S_IXGRP, fsp->is_directory);
1928 other_access = map_unix_perms(&other_acl_type, sbuf.st_mode,
1929 S_IROTH, S_IWOTH, S_IXOTH, fsp->is_directory);
1930
1931 if(owner_access.mask)
1932 init_sec_ace(&ace_list[num_acls++], &owner_sid, owner_acl_type,
1933 owner_access, 0);
1934
1935 if(group_access.mask)
1936 init_sec_ace(&ace_list[num_acls++], &group_sid, grp_acl_type,
1937 group_access, 0);
1938
1939 if(other_access.mask)
1940 init_sec_ace(&ace_list[num_acls++], &global_sid_World, other_acl_type,
1941 other_access, 0);
1942
1943 if(fsp->is_directory) {
1944 /*
1945 * For directory ACLs we also add in the inherited permissions
1946 * ACE entries. These are the permissions a file would get when
1947 * being created in the directory.
1948 */
1949 mode_t mode = unix_mode( fsp->conn, FILE_ATTRIBUTE_ARCHIVE, fsp->fsp_name);
1950
1951 owner_access = map_unix_perms(&owner_acl_type, mode,
1952 S_IRUSR, S_IWUSR, S_IXUSR, fsp->is_directory);
1953 group_access = map_unix_perms(&grp_acl_type, mode,
1954 S_IRGRP, S_IWGRP, S_IXGRP, fsp->is_directory);
1955 other_access = map_unix_perms(&other_acl_type, mode,
1956 S_IROTH, S_IWOTH, S_IXOTH, fsp->is_directory);
1957
1958 if(owner_access.mask)
1959 init_sec_ace(&ace_list[num_acls++], &owner_sid, owner_acl_type,
1960 owner_access, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
1961
1962 if(group_access.mask)
1963 init_sec_ace(&ace_list[num_acls++], &group_sid, grp_acl_type,
1964 group_access, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
1965
1966 if(other_access.mask)
1967 init_sec_ace(&ace_list[num_acls++], &global_sid_World, other_acl_type,
1968 other_access, SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_INHERIT_ONLY);
1969 }
1970
1971 if(num_acls)
1972 if((psa = make_sec_acl( 3, num_acls, ace_list)) == NULL) {
1973 DEBUG(0,("get_nt_acl: Unable to malloc space for acl.\n"));
1974 return 0;
1975 }
1976 }
1977
1978 *ppdesc = make_standard_sec_desc( &owner_sid, &group_sid, psa, &sec_desc_size);
1979
1980 if(!*ppdesc) {
1981 DEBUG(0,("get_nt_acl: Unable to malloc space for security descriptor.\n"));
1982 sec_desc_size = 0;
1983 }
1984
1985 free_sec_acl(&psa);
1986
1987 return sec_desc_size;
1988 }
1989
1990 /****************************************************************************
1991 Reply to query a security descriptor - currently this is not implemented (it
1992 is planned to be though). Right now it just returns the same thing NT would
1993 when queried on a FAT filesystem. JRA.
1994 ****************************************************************************/
1995
1996 static int call_nt_transact_query_security_desc(connection_struct *conn,
1997 char *inbuf, char *outbuf,
1998 int length, int bufsize,
1999 char **ppsetup, char **ppparams, char **ppdata)
2000 {
2001 uint32 max_data_count = IVAL(inbuf,smb_nt_MaxDataCount);
2002 char *params = *ppparams;
2003 char *data = *ppdata;
2004 prs_struct pd;
2005 SEC_DESC *psd;
2006 size_t sec_desc_size;
2007
2008 files_struct *fsp = file_fsp(params,0);
2009
2010 if(!fsp)
2011 return(ERROR(ERRDOS,ERRbadfid));
2012
2013 DEBUG(3,("call_nt_transact_query_security_desc: file = %s\n", fsp->fsp_name ));
2014
2015 params = *ppparams = Realloc(*ppparams, 4);
2016 if(params == NULL)
2017 return(ERROR(ERRDOS,ERRnomem));
2018
2019 /*
2020 * Get the permissions to return.
2021 */
2022
2023 if((sec_desc_size = get_nt_acl(fsp, &psd)) == 0)
2024 return(UNIXERROR(ERRDOS,ERRnoaccess));
2025
2026 DEBUG(3,("call_nt_transact_query_security_desc: sec_desc_size = %d.\n",(int)sec_desc_size));
2027
2028 SIVAL(params,0,(uint32)sec_desc_size);
2029
2030 if(max_data_count < sec_desc_size) {
2031
2032 free_sec_desc(&psd);
2033
2034 send_nt_replies(inbuf, outbuf, bufsize, 0xC0000000|NT_STATUS_BUFFER_TOO_SMALL,
2035 params, 4, *ppdata, 0);
2036 return -1;
2037 }
2038
2039 /*
2040 * Allocate the data we will point this at.
2041 */
2042
2043 data = *ppdata = Realloc(*ppdata, sec_desc_size);
2044 if(data == NULL) {
2045 free_sec_desc(&psd);
2046 return(ERROR(ERRDOS,ERRnomem));
2047 }
2048
2049 memset(data, '\0', sec_desc_size);
2050
2051 /*
2052 * Init the parse struct we will marshall into.
2053 */
2054
2055 prs_init(&pd, 0, 4, MARSHALL);
2056
2057 /*
2058 * Setup the prs_struct to point at the memory we just
2059 * allocated.
2060 */
2061
2062 prs_give_memory( &pd, data, (uint32)sec_desc_size, False);
2063
2064 /*
2065 * Finally, linearize into the outgoing buffer.
2066 */
2067
2068 if(!sec_io_desc( "sd data", &psd, &pd, 1)) {
2069 free_sec_desc(&psd);
2070 DEBUG(0,("call_nt_transact_query_security_desc: Error in marshalling \
2071 security descriptor.\n"));
2072 /*
2073 * Return access denied for want of a better error message..
2074 */
2075 return(UNIXERROR(ERRDOS,ERRnoaccess));
2076 }
2077
2078 /*
2079 * Now we can delete the security descriptor.
2080 */
2081
2082 free_sec_desc(&psd);
2083
2084 send_nt_replies(inbuf, outbuf, bufsize, 0, params, 4, data, (int)sec_desc_size);
2085 return -1;
2086 }
2087
2088 /****************************************************************************
2089 Validate a SID.
2090 ****************************************************************************/
2091
2092 static BOOL validate_unix_sid( DOM_SID *psid, uint32 *prid, DOM_SID *sd_sid)
2093 {
2094 extern DOM_SID global_sam_sid;
2095 DOM_SID sid;
2096
2097 if(!sd_sid) {
2098 DEBUG(5,("validate_unix_sid: sid missing.\n"));
2099 return False;
2100 }
2101
2102 sid_copy(psid, sd_sid);
2103 sid_copy(&sid, sd_sid);
2104
2105 if(!sid_split_rid(&sid, prid)) {
2106 DEBUG(5,("validate_unix_sid: cannot get RID from sid.\n"));
2107 return False;
2108 }
2109
2110 if(!sid_equal( &sid, &global_sam_sid)) {
2111 DEBUG(5,("validate_unix_sid: sid is not ours.\n"));
2112 return False;
2113 }
2114
2115 return True;
2116 }
2117
2118 /****************************************************************************
2119 Map NT perms to UNIX.
2120 ****************************************************************************/
2121
2122 #define FILE_SPECIFIC_READ_BITS (FILE_READ_DATA|FILE_READ_EA|FILE_READ_ATTRIBUTES)
2123 #define FILE_SPECIFIC_WRITE_BITS (FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_WRITE_EA|FILE_WRITE_ATTRIBUTES)
2124 #define FILE_SPECIFIC_EXECUTE_BITS (FILE_EXECUTE)
2125
2126 static mode_t map_nt_perms( SEC_ACCESS sec_access, int type)
2127 {
2128 mode_t mode = 0;
2129
2130 switch(type) {
2131 case S_IRUSR:
2132 if(sec_access.mask & GENERIC_ALL_ACCESS)
2133 mode = S_IRUSR|S_IWUSR|S_IXUSR;
2134 else {
2135 mode |= (sec_access.mask & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRUSR : 0;
2136 mode |= (sec_access.mask & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWUSR : 0;
2137 mode |= (sec_access.mask & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXUSR : 0;
2138 }
2139 break;
2140 case S_IRGRP:
2141 if(sec_access.mask & GENERIC_ALL_ACCESS)
2142 mode = S_IRGRP|S_IWGRP|S_IXGRP;
2143 else {
2144 mode |= (sec_access.mask & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IRGRP : 0;
2145 mode |= (sec_access.mask & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWGRP : 0;
2146 mode |= (sec_access.mask & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXGRP : 0;
2147 }
2148 break;
2149 case S_IROTH:
2150 if(sec_access.mask & GENERIC_ALL_ACCESS)
2151 mode = S_IROTH|S_IWOTH|S_IXOTH;
2152 else {
2153 mode |= (sec_access.mask & (GENERIC_READ_ACCESS|FILE_SPECIFIC_READ_BITS)) ? S_IROTH : 0;
2154 mode |= (sec_access.mask & (GENERIC_WRITE_ACCESS|FILE_SPECIFIC_WRITE_BITS)) ? S_IWOTH : 0;
2155 mode |= (sec_access.mask & (GENERIC_EXECUTE_ACCESS|FILE_SPECIFIC_EXECUTE_BITS)) ? S_IXOTH : 0;
2156 }
2157 break;
2158 }
2159
2160 return mode;
2161 }
2162
2163 /****************************************************************************
2164 Unpack a SEC_DESC into a owner, group and set of UNIX permissions.
2165 ****************************************************************************/
2166
2167 static BOOL unpack_nt_permissions(SMB_STRUCT_STAT *psbuf, uid_t *puser, gid_t *pgrp, mode_t *pmode,
2168 uint32 security_info_sent, SEC_DESC *psd, BOOL is_directory)
2169 {
2170 extern DOM_SID global_sid_World;
2171 DOM_SID owner_sid;
2172 DOM_SID grp_sid;
2173 DOM_SID file_owner_sid;
2174 DOM_SID file_grp_sid;
2175 uint32 owner_rid;
2176 uint32 grp_rid;
2177 SEC_ACL *dacl = psd->dacl;
2178 BOOL all_aces_are_inherit_only = (is_directory ? True : False);
2179 int i;
2180
2181 *pmode = 0;
2182 *puser = (uid_t)-1;
2183 *pgrp = (gid_t)-1;
2184
2185 if(security_info_sent == 0) {
2186 DEBUG(0,("unpack_nt_permissions: no security info sent !\n"));
2187 return False;
2188 }
2189
2190 /*
2191 * Windows 2000 sends the owner and group SIDs as the logged in
2192 * user, not the connected user. But it still sends the file
2193 * owner SIDs on an ACL set. So we need to check for the file
2194 * owner and group SIDs as well as the owner SIDs. JRA.
2195 */
2196
2197 create_file_sids(psbuf, &file_owner_sid, &file_grp_sid);
2198
2199 /*
2200 * Validate the owner and group SID's.
2201 */
2202
2203 memset(&owner_sid, '\0', sizeof(owner_sid));
2204 memset(&grp_sid, '\0', sizeof(grp_sid));
2205
2206 DEBUG(5,("unpack_nt_permissions: validating owner_sid.\n"));
2207
2208 /*
2209 * Don't immediately fail if the owner sid cannot be validated.
2210 * This may be a group chown only set.
2211 */
2212
2213 if(!validate_unix_sid( &owner_sid, &owner_rid, psd->owner_sid))
2214 DEBUG(3,("unpack_nt_permissions: unable to validate owner sid.\n"));
2215 else if(security_info_sent & OWNER_SECURITY_INFORMATION)
2216 *puser = pdb_user_rid_to_uid(owner_rid);
2217
2218 /*
2219 * Don't immediately fail if the group sid cannot be validated.
2220 * This may be an owner chown only set.
2221 */
2222
2223 if(!validate_unix_sid( &grp_sid, &grp_rid, psd->grp_sid))
2224 DEBUG(3,("unpack_nt_permissions: unable to validate group sid.\n"));
2225 else if(security_info_sent & GROUP_SECURITY_INFORMATION)
2226 *pgrp = pdb_user_rid_to_gid(grp_rid);
2227
2228 /*
2229 * If no DACL then this is a chown only security descriptor.
2230 */
2231
2232 if(!(security_info_sent & DACL_SECURITY_INFORMATION) || !dacl) {
2233 *pmode = 0;
2234 return True;
2235 }
2236
2237 /*
2238 * Now go through the DACL and ensure that
2239 * any owner/group sids match.
2240 */
2241
2242 for(i = 0; i < dacl->num_aces; i++) {
2243 DOM_SID ace_sid;
2244 SEC_ACE *psa = &dacl->ace_list[i];
2245
2246 if((psa->type != SEC_ACE_TYPE_ACCESS_ALLOWED) &&
2247 (psa->type != SEC_ACE_TYPE_ACCESS_DENIED)) {
2248 DEBUG(3,("unpack_nt_permissions: unable to set anything but an ALLOW or DENY ACE.\n"));
2249 return False;
2250 }
2251
2252 /*
2253 * Ignore or remove bits we don't care about on a directory ACE.
2254 */
2255
2256 if(is_directory) {
2257 if(psa->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
2258 DEBUG(3,("unpack_nt_permissions: ignoring inherit only ACE.\n"));
2259 continue;
2260 }
2261
2262 /*
2263 * At least one of the ACE entries wasn't inherit only.
2264 * Flag this so we know the returned mode is valid.
2265 */
2266
2267 all_aces_are_inherit_only = False;
2268 }
2269
2270 /*
2271 * Windows 2000 sets these flags even on *file* ACE's. This is wrong
2272 * but we can ignore them for now. Revisit this when we go to POSIX
2273 * ACLs on directories.
2274 */
2275
2276 psa->flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT|SEC_ACE_FLAG_CONTAINER_INHERIT);
2277
2278 if(psa->flags != 0) {
2279 DEBUG(1,("unpack_nt_permissions: unable to set ACE flags (%x).\n",
2280 (unsigned int)psa->flags));
2281 return False;
2282 }
2283
2284 /*
2285 * The security mask may be UNIX_ACCESS_NONE which should map into
2286 * no permissions (we overload the WRITE_OWNER bit for this) or it
2287 * should be one of the ALL/EXECUTE/READ/WRITE bits. Arrange for this
2288 * to be so. Any other bits override the UNIX_ACCESS_NONE bit.
2289 */
2290
2291 psa->info.mask &= (GENERIC_ALL_ACCESS|GENERIC_EXECUTE_ACCESS|GENERIC_WRITE_ACCESS|
2292 GENERIC_READ_ACCESS|UNIX_ACCESS_NONE|FILE_ALL_ATTRIBUTES);
2293
2294 if(psa->info.mask != UNIX_ACCESS_NONE)
2295 psa->info.mask &= ~UNIX_ACCESS_NONE;
2296
2297 sid_copy(&ace_sid, &psa->sid);
2298
2299 if(sid_equal(&ace_sid, &file_owner_sid)) {
2300 /*
2301 * Map the desired permissions into owner perms.
2302 */
2303
2304 if(psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED)
2305 *pmode |= map_nt_perms( psa->info, S_IRUSR);
2306 else
2307 *pmode &= ~(map_nt_perms( psa->info, S_IRUSR));
2308
2309 } else if( sid_equal(&ace_sid, &file_grp_sid)) {
2310 /*
2311 * Map the desired permissions into group perms.
2312 */
2313
2314 if(psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED)
2315 *pmode |= map_nt_perms( psa->info, S_IRGRP);
2316 else
2317 *pmode &= ~(map_nt_perms( psa->info, S_IRGRP));
2318
2319 } else if( sid_equal(&ace_sid, &global_sid_World)) {
2320 /*
2321 * Map the desired permissions into other perms.
2322 */
2323
2324 if(psa->type == SEC_ACE_TYPE_ACCESS_ALLOWED)
2325 *pmode |= map_nt_perms( psa->info, S_IROTH);
2326 else
2327 *pmode &= ~(map_nt_perms( psa->info, S_IROTH));
2328
2329 } else {
2330 DEBUG(0,("unpack_nt_permissions: unknown SID used in ACL.\n"));
2331 return False;
2332 }
2333 }
2334
2335 if (is_directory && all_aces_are_inherit_only) {
2336 /*
2337 * Windows 2000 is doing one of these weird 'inherit acl'
2338 * traverses to conserve NTFS ACL resources. Just pretend
2339 * there was no DACL sent. JRA.
2340 */
2341
2342 DEBUG(10,("unpack_nt_permissions: Win2k inherit acl traverse. Ignoring DACL.\n"));
2343 free_sec_acl(&psd->dacl);
2344 }
2345
2346 return True;
2347 }
2348
2349 /****************************************************************************
2350 Reply to set a security descriptor. Map to UNIX perms.
2351 ****************************************************************************/
2352
2353 static int call_nt_transact_set_security_desc(connection_struct *conn,
2354 char *inbuf, char *outbuf, int length,
2355 int bufsize, char **ppsetup,
2356 char **ppparams, char **ppdata)
2357 {
2358 uint32 total_parameter_count = IVAL(inbuf, smb_nts_TotalParameterCount);
2359 char *params= *ppparams;
2360 char *data = *ppdata;
2361 prs_struct pd;
2362 SEC_DESC *psd = NULL;
2363 uint32 total_data_count = (uint32)IVAL(inbuf, smb_nts_TotalDataCount);
2364 uid_t user = (uid_t)-1;
2365 gid_t grp = (gid_t)-1;
2366 mode_t perms = 0;
2367 SMB_STRUCT_STAT sbuf;
2368 files_struct *fsp = NULL;
2369 uint32 security_info_sent = 0;
2370 BOOL got_dacl = False;
2371
2372 if(!lp_nt_acl_support())
2373 return(UNIXERROR(ERRDOS,ERRnoaccess));
2374
2375 if(total_parameter_count < 8)
2376 return(ERROR(ERRDOS,ERRbadfunc));
2377
2378 if((fsp = file_fsp(params,0)) == NULL)
2379 return(ERROR(ERRDOS,ERRbadfid));
2380
2381 security_info_sent = IVAL(params,4);
2382
2383 DEBUG(3,("call_nt_transact_set_security_desc: file = %s, sent 0x%x\n", fsp->fsp_name,
2384 (unsigned int)security_info_sent ));
2385
2386 /*
2387 * Init the parse struct we will unmarshall from.
2388 */
2389
2390 prs_init(&pd, 0, 4, UNMARSHALL);
2391
2392 /*
2393 * Setup the prs_struct to point at the memory we just
2394 * allocated.
2395 */
2396
2397 prs_give_memory( &pd, data, total_data_count, False);
2398
2399 /*
2400 * Finally, unmarshall from the data buffer.
2401 */
2402
2403 if(!sec_io_desc( "sd data", &psd, &pd, 1)) {
2404 free_sec_desc(&psd);
2405 DEBUG(0,("call_nt_transact_set_security_desc: Error in unmarshalling \
2406 security descriptor.\n"));
2407 /*
2408 * Return access denied for want of a better error message..
2409 */
2410 return(UNIXERROR(ERRDOS,ERRnoaccess));
2411 }
2412
2413 /*
2414 * Get the current state of the file.
2415 */
2416
2417 if(fsp->is_directory) {
2418 if(dos_stat(fsp->fsp_name, &sbuf) != 0) {
2419 free_sec_desc(&psd);
2420 return(UNIXERROR(ERRDOS,ERRnoaccess));
2421 }
2422 } else {
2423
2424 int ret;
2425
2426 if(fsp->fd_ptr == NULL)
2427 ret = dos_stat(fsp->fsp_name, &sbuf);
2428 else
2429 ret = sys_fstat(fsp->fd_ptr->fd,&sbuf);
2430
2431 if(ret != 0) {
2432 free_sec_desc(&psd);
2433 return(UNIXERROR(ERRDOS,ERRnoaccess));
2434 }
2435 }
2436
2437 /*
2438 * Unpack the user/group/world id's and permissions.
2439 */
2440
2441 if(!unpack_nt_permissions( &sbuf, &user, &grp, &perms, security_info_sent, psd, fsp->is_directory)) {
2442 free_sec_desc(&psd);
2443 return(UNIXERROR(ERRDOS,ERRnoaccess));
2444 }
2445
2446 if (psd->dacl != NULL)
2447 got_dacl = True;
2448
2449 free_sec_desc(&psd);
2450
2451 /*
2452 * Do we need to chown ?
2453 */
2454
2455 if((user != (uid_t)-1 || grp != (uid_t)-1) && (sbuf.st_uid != user || sbuf.st_gid != grp)) {
2456
2457 DEBUG(3,("call_nt_transact_set_security_desc: chown %s. uid = %u, gid = %u.\n",
2458 fsp->fsp_name, (unsigned int)user, (unsigned int)grp ));
2459
2460 if(dos_chown( fsp->fsp_name, user, grp) == -1) {
2461 DEBUG(3,("call_nt_transact_set_security_desc: chown %s, %u, %u failed. Error = %s.\n",
2462 fsp->fsp_name, (unsigned int)user, (unsigned int)grp, strerror(errno) ));
2463 return(UNIXERROR(ERRDOS,ERRnoaccess));
2464 }
2465
2466 /*
2467 * Recheck the current state of the file, which may have changed.
2468 * (suid/sgid bits, for instance)
2469 */
2470
2471 if(fsp->is_directory) {
2472 if(dos_stat(fsp->fsp_name, &sbuf) != 0) {
2473 return(UNIXERROR(ERRDOS,ERRnoaccess));
2474 }
2475 } else {
2476
2477 int ret;
2478
2479 if(fsp->fd_ptr == NULL)
2480 ret = dos_stat(fsp->fsp_name, &sbuf);
2481 else
2482 ret = sys_fstat(fsp->fd_ptr->fd,&sbuf);
2483
2484 if(ret != 0)
2485 return(UNIXERROR(ERRDOS,ERRnoaccess));
2486 }
2487 }
2488
2489 /*
2490 * Only change security if we got a DACL.
2491 */
2492
2493 if((security_info_sent & DACL_SECURITY_INFORMATION) && got_dacl) {
2494
2495 /*
2496 * Check to see if we need to change anything.
2497 * Enforce limits on modified bits *only*. Don't enforce masks
2498 * on bits not changed by the user.
2499 */
2500
2501 if(fsp->is_directory) {
2502
2503 perms &= (lp_dir_security_mask(SNUM(conn)) | sbuf.st_mode);
2504 perms |= (lp_force_dir_security_mode(SNUM(conn)) & ( perms ^ sbuf.st_mode ));
2505
2506 } else {
2507
2508 perms &= (lp_security_mask(SNUM(conn)) | sbuf.st_mode);
2509 perms |= (lp_force_security_mode(SNUM(conn)) & ( perms ^ sbuf.st_mode ));
2510
2511 }
2512
2513 /*
2514 * Preserve special bits.
2515 */
2516
2517 perms |= (sbuf.st_mode & ~0777);
2518
2519 /*
2520 * Do we need to chmod ?
2521 */
2522
2523 if(sbuf.st_mode != perms) {
2524
2525 DEBUG(3,("call_nt_transact_set_security_desc: chmod %s. perms = 0%o.\n",
2526 fsp->fsp_name, (unsigned int)perms ));
2527
2528 if(dos_chmod( fsp->fsp_name, perms) == -1) {
2529 DEBUG(3,("call_nt_transact_set_security_desc: chmod %s, 0%o failed. Error = %s.\n",
2530 fsp->fsp_name, (unsigned int)perms, strerror(errno) ));
2531 return(UNIXERROR(ERRDOS,ERRnoaccess));
2532 }
2533 }
2534 }
2535
2536 send_nt_replies(inbuf, outbuf, bufsize, 0, NULL, 0, NULL, 0);
2537 return -1;
2538 }
2539
2540 /****************************************************************************
2541 Reply to IOCTL - not implemented - no plans.
2542 ****************************************************************************/
2543 static int call_nt_transact_ioctl(connection_struct *conn,
2544 char *inbuf, char *outbuf, int length,
2545 int bufsize,
2546 char **ppsetup, char **ppparams, char **ppdata)
2547 {
2548 static BOOL logged_message = False;
2549
2550 if(!logged_message) {
2551 DEBUG(3,("call_nt_transact_ioctl: Currently not implemented.\n"));
2552 logged_message = True; /* Only print this once... */
2553 }
2554 return(ERROR(ERRSRV,ERRnosupport));
2555 }
2556
2557 /****************************************************************************
2558 Reply to a SMBNTtrans.
2559 ****************************************************************************/
2560 int reply_nttrans(connection_struct *conn,
2561 char *inbuf,char *outbuf,int length,int bufsize)
2562 {
2563 int outsize = 0;
2564 #if 0 /* Not used. */
2565 uint16 max_setup_count = CVAL(inbuf, smb_nt_MaxSetupCount);
2566 uint32 max_parameter_count = IVAL(inbuf, smb_nt_MaxParameterCount);
2567 uint32 max_data_count = IVAL(inbuf,smb_nt_MaxDataCount);
2568 #endif /* Not used. */
2569 uint32 total_parameter_count = IVAL(inbuf, smb_nt_TotalParameterCount);
2570 uint32 total_data_count = IVAL(inbuf, smb_nt_TotalDataCount);
2571 uint32 parameter_count = IVAL(inbuf,smb_nt_ParameterCount);
2572 uint32 parameter_offset = IVAL(inbuf,smb_nt_ParameterOffset);
2573 uint32 data_count = IVAL(inbuf,smb_nt_DataCount);
2574 uint32 data_offset = IVAL(inbuf,smb_nt_DataOffset);
2575 uint16 setup_count = 2*CVAL(inbuf,smb_nt_SetupCount); /* setup count is in *words* */
2576 uint16 function_code = SVAL( inbuf, smb_nt_Function);
2577 char *params = NULL, *data = NULL, *setup = NULL;
2578 uint32 num_params_sofar, num_data_sofar;
2579
2580 if(global_oplock_break && (function_code == NT_TRANSACT_CREATE)) {
2581 /*
2582 * Queue this open message as we are the process of an oplock break.
2583 */
2584
2585 DEBUG(2,("reply_nttrans: queueing message NT_TRANSACT_CREATE \
2586 due to being in oplock break state.\n" ));
2587
2588 push_oplock_pending_smb_message( inbuf, length);
2589 return -1;
2590 }
2591
2592 outsize = set_message(outbuf,0,0,True);
2593
2594 /*
2595 * All nttrans messages we handle have smb_wct == 19 + setup_count.
2596 * Ensure this is so as a sanity check.
2597 */
2598
2599 if(CVAL(inbuf, smb_wct) != 19 + (setup_count/2)) {
2600 DEBUG(2,("Invalid smb_wct %d in nttrans call (should be %d)\n",
2601 CVAL(inbuf, smb_wct), 19 + (setup_count/2)));
2602 return(ERROR(ERRSRV,ERRerror));
2603 }
2604
2605 /* Allocate the space for the setup, the maximum needed parameters and data */
2606
2607 if(setup_count > 0)
2608 setup = (char *)malloc(setup_count);
2609 if (total_parameter_count > 0)
2610 params = (char *)malloc(total_parameter_count);
2611 if (total_data_count > 0)
2612 data = (char *)malloc(total_data_count);
2613
2614 if ((total_parameter_count && !params) || (total_data_count && !data) ||
2615 (setup_count && !setup)) {
2616 SAFE_FREE(setup);
2617 SAFE_FREE(params);
2618 SAFE_FREE(data);
2619 DEBUG(0,("reply_nttrans : Out of memory\n"));
2620 return ERROR(ERRDOS,ERRnomem);
2621 }
2622
2623 /* Copy the param and data bytes sent with this request into
2624 the params buffer */
2625 num_params_sofar = parameter_count;
2626 num_data_sofar = data_count;
2627
2628 if (parameter_count > total_parameter_count || data_count > total_data_count)
2629 goto bad_param;
2630
2631 if(setup) {
2632 DEBUG(10,("reply_nttrans: setup_count = %d\n", setup_count));
2633 if ((smb_nt_SetupStart + setup_count < smb_nt_SetupStart) ||
2634 (smb_nt_SetupStart + setup_count < setup_count))
2635 goto bad_param;
2636 if (smb_nt_SetupStart + setup_count > length)
2637 goto bad_param;
2638
2639 memcpy( setup, &inbuf[smb_nt_SetupStart], setup_count);
2640 }
2641 if(params) {
2642 DEBUG(10,("reply_nttrans: parameter_count = %d\n", parameter_count));
2643 if ((parameter_offset + parameter_count < parameter_offset) ||
2644 (parameter_offset + parameter_count < parameter_count))
2645 goto bad_param;
2646 if (smb_base(inbuf) + parameter_offset + parameter_count > inbuf + length)
2647 goto bad_param;
2648
2649 memcpy( params, smb_base(inbuf) + parameter_offset, parameter_count);
2650 }
2651 if(data) {
2652 DEBUG(10,("reply_nttrans: data_count = %d\n",data_count));
2653 if ((data_offset + data_count < data_offset) || (data_offset + data_count < data_count))
2654 goto bad_param;
2655 if (smb_base(inbuf) + data_offset + data_count > inbuf + length)
2656 goto bad_param;
2657
2658 memcpy( data, smb_base(inbuf) + data_offset, data_count);
2659
2660 }
2661
2662 if(num_data_sofar < total_data_count || num_params_sofar < total_parameter_count) {
2663 /* We need to send an interim response then receive the rest
2664 of the parameter/data bytes */
2665 outsize = set_message(outbuf,0,0,True);
2666 if (!send_smb(Client,outbuf))
2667 exit_server("reply_nttrans: send_smb failed.");
2668
2669 while( num_data_sofar < total_data_count || num_params_sofar < total_parameter_count) {
2670 BOOL ret;
2671 uint32 parameter_displacement;
2672 uint32 data_displacement;
2673
2674 ret = receive_next_smb(inbuf,bufsize,SMB_SECONDARY_WAIT);
2675
2676 if((ret && (CVAL(inbuf, smb_com) != SMBnttranss)) || !ret) {
2677 outsize = set_message(outbuf,0,0,True);
2678 if(ret) {
2679 DEBUG(0,("reply_nttrans: Invalid secondary nttrans packet\n"));
2680 } else {
2681 DEBUG(0,("reply_nttrans: %s in getting secondary nttrans response.\n",
2682 (smb_read_error == READ_ERROR) ? "error" : "timeout" ));
2683 }
2684 goto bad_param;
2685 }
2686
2687 /* Revise total_params and total_data in case they have changed downwards */
2688 if (IVAL(inbuf, smb_nts_TotalParameterCount) < total_parameter_count)
2689 total_parameter_count = IVAL(inbuf, smb_nts_TotalParameterCount);
2690 if (IVAL(inbuf, smb_nts_TotalDataCount) < total_data_count)
2691 total_data_count = IVAL(inbuf, smb_nts_TotalDataCount);
2692
2693 parameter_count = IVAL(inbuf,smb_nts_ParameterCount);
2694 parameter_offset = IVAL(inbuf, smb_nts_ParameterOffset);
2695 parameter_displacement = IVAL(inbuf, smb_nts_ParameterDisplacement);
2696 num_params_sofar += parameter_count;
2697
2698 data_count = IVAL(inbuf, smb_nts_DataCount);
2699 data_displacement = IVAL(inbuf, smb_nts_DataDisplacement);
2700 data_offset = IVAL(inbuf, smb_nts_DataOffset);
2701 num_data_sofar += data_count;
2702
2703 if (num_params_sofar > total_parameter_count || num_data_sofar > total_data_count) {
2704 DEBUG(0,("reply_nttrans2: data overflow in secondary nttrans packet"));
2705 goto bad_param;
2706 }
2707
2708 if (parameter_count) {
2709 if (parameter_displacement + parameter_count >= total_parameter_count)
2710 goto bad_param;
2711 if ((parameter_displacement + parameter_count < parameter_displacement) ||
2712 (parameter_displacement + parameter_count < parameter_count))
2713 goto bad_param;
2714 if (smb_base(inbuf) + parameter_offset + parameter_count >= inbuf + bufsize)
2715 goto bad_param;
2716 if (params + parameter_displacement < params)
2717 goto bad_param;
2718
2719 memcpy( &params[parameter_displacement], smb_base(inbuf) + parameter_offset, parameter_count);
2720 }
2721
2722 if (data_count) {
2723 if (data_displacement + data_count >= total_data_count)
2724 goto bad_param;
2725 if ((data_displacement + data_count < data_displacement) ||
2726 (data_displacement + data_count < data_count))
2727 goto bad_param;
2728 if (smb_base(inbuf) + data_offset + data_count >= inbuf + bufsize)
2729 goto bad_param;
2730 if (data + data_displacement < data)
2731 goto bad_param;
2732
2733 memcpy( &data[data_displacement], smb_base(inbuf)+ data_offset, data_count);
2734 }
2735 }
2736 }
2737
2738 if (Protocol >= PROTOCOL_NT1) {
2739 uint16 flg2 = SVAL(outbuf,smb_flg2);
2740 SSVAL(outbuf,smb_flg2,flg2 | 0x40); /* IS_LONG_NAME */
2741 }
2742
2743 /* Now we must call the relevant NT_TRANS function */
2744 switch(function_code) {
2745 case NT_TRANSACT_CREATE:
2746 outsize = call_nt_transact_create(conn, inbuf, outbuf, length, bufsize,
2747 &setup, &params, &data);
2748 break;
2749 case NT_TRANSACT_IOCTL:
2750 outsize = call_nt_transact_ioctl(conn,
2751 inbuf, outbuf, length, bufsize,
2752 &setup, &params, &data);
2753 break;
2754 case NT_TRANSACT_SET_SECURITY_DESC:
2755 outsize = call_nt_transact_set_security_desc(conn, inbuf, outbuf,
2756 length, bufsize,
2757 &setup, &params, &data);
2758 break;
2759 case NT_TRANSACT_NOTIFY_CHANGE:
2760 outsize = call_nt_transact_notify_change(conn, inbuf, outbuf,
2761 length, bufsize,
2762 &setup, &params, &data);
2763 break;
2764 case NT_TRANSACT_RENAME:
2765 outsize = call_nt_transact_rename(conn, inbuf, outbuf, length,
2766 bufsize,
2767 &setup, &params, &data);
2768 break;
2769
2770 case NT_TRANSACT_QUERY_SECURITY_DESC:
2771 outsize = call_nt_transact_query_security_desc(conn, inbuf, outbuf,
2772 length, bufsize,
2773 &setup, &params, &data);
2774 break;
2775 default:
2776 /* Error in request */
2777 DEBUG(0,("reply_nttrans: Unknown request %d in nttrans call\n", function_code));
2778 if(setup)
2779 free(setup);
2780 if(params)
2781 free(params);
2782 if(data)
2783 free(data);
2784 return (ERROR(ERRSRV,ERRerror));
2785 }
2786
2787 /* As we do not know how many data packets will need to be
2788 returned here the various call_nt_transact_xxxx calls
2789 must send their own. Thus a call_nt_transact_xxxx routine only
2790 returns a value other than -1 when it wants to send
2791 an error packet.
2792 */
2793
2794 if(setup)
2795 free(setup);
2796 if(params)
2797 free(params);
2798 if(data)
2799 free(data);
2800 return outsize; /* If a correct response was needed the call_nt_transact_xxxx
2801 calls have already sent it. If outsize != -1 then it is
2802 returning an error packet. */
2803 bad_param:
2804
2805 SAFE_FREE(params);
2806 SAFE_FREE(data);
2807 SAFE_FREE(setup);
2808 return ERROR(ERRDOS,ERRinvalidparam);
2809 }
Tomato firmware and modifications.